CVE-2021-27292: ua-parser-js needs to upgrade to 0.7.24

[Kenzku]

Hej,

Our static code scan reports this vulnerability in ua-parser-js used by flux@4.0.1:

├─┬ flux@4.0.1
  │ ├─┬ fbemitter@3.0.0
  │ │ └── fbjs@3.0.0 deduped
  │ └─┬ fbjs@3.0.0
  │   ├─┬ cross-fetch@3.0.6
  │   │ └── node-fetch@2.6.1
  │   ├── fbjs-css-vars@1.0.2
  │   ├── loose-envify@1.4.0 deduped
  │   ├── object-assign@4.1.1 deduped
  │   ├─┬ promise@7.3.1
  │   │ └── asap@2.0.6
  │   ├── setimmediate@1.0.5
  │   └── ua-parser-js@0.7.23   <----

Is there a change to upgrade the Flux with the fix please?

refs:

• https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-27292
• https://twitter.com/i/web/status/1374458531076657152

[pastak]

fbjs has been released v3.0.1 including to update ua-parser-js and this flux also has merged https://github.com/facebook/flux/pull/539 , updating to fbjs@3.0.1.

So please release and publish next version of flux 🙏

[yangshun]

Done - https://github.com/facebook/flux/releases/tag/4.0.3

[pastak]

Thank you so much for your work 👍

[Kenzku]

thanks 🍡