search

futil-js / contexture-react

React components for building contexture interfaces
https://smartprocure.github.io/contexture-react
MIT License
6 stars 4 forks source link

a vulnerability CVE-2020-15168 is introduced in contexture-react #516

Open ayaka-kms opened 3 years ago

ayaka-kms commented 3 years ago

Hi, @daedalus28, a vulnerability CVE-2020-15168 is introduced in contexture-react via: ● contexture-react@2.47.0 ➔ recompose@0.30.0 ➔ fbjs@0.8.17 ➔ isomorphic-fetch@2.2.1 ➔ node-fetch@1.7.3

recompose is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated. Is it possible to migrate recompose to other package to remediate this vulnerability?

I noticed several migration records for recompose in other js repos, such as

  1. in react-dnd, version 7.4.1 ➔ 7.4.2, remove recompose via commit
  2. in @nivo/legends, version 0.67.0 ➔ 0.68.0, remove recompose via commit

Are there any efforts planned that would remediate this vulnerability or migrate recompose?

Thanks ; )

daedalus28 commented 3 years ago

Thanks for the contribution here!

Our use of recompose is limited to defaultProps and setDisplayName, neither of which use node-fetch internally - so I don't think we're affected by this vulnerability. With that said, we'd be open to a PR that replaces these with a non legacy package.

@stellarhoof might have some thoughts here as I think we dealt with this on another project (spark).

stellarhoof commented 3 years ago

Yeah node-fetch is not used by us, although it's a transitive dependency. defaultProps and setDisplayName are trivial enough that we could simply have our wrappers and not depend on recompose, but this is likely to be very low priority.