nested-property is out of date and contains a bug

gilbarbara / react-floater

Advanced tooltips for React

https://codesandbox.io/s/github/gilbarbara/react-floater/tree/main/demo

MIT License

220 stars 37 forks source link

nested-property is out of date and contains a bug #79

Closed mankittens closed 2 years ago

mankittens commented 3 years ago

🐛 Bug Report

This package currently uses tree-changes@^0.5.1 which uses nested-property@1.0.1 which contains a const declaration in the dist js file. This produces syntax errors when deploying code to any browser that does not support the const syntax.

To Reproduce

Add react-floater@^0.7.2 to a project and try to run in IE10.

Expected behavior

No syntax errors.

Suggest updating to tree-changes@^0.6.1.

gilbarbara commented 3 years ago

It will be fixed in https://github.com/gilbarbara/react-floater/pull/78

aarjithn commented 3 years ago

Hi @gilbarbara nested-property@1.0.1 via tree-changes@^0.5.1 dependency is reported to have a security vulnerability as well https://snyk.io/test/npm/react-floater/0.7.2

it would be great if we can get #78 merged. Thank you!

igloude commented 3 years ago

Any progress on this @gilbarbara? We'd love to see #78 merged as well.

zckoh commented 3 years ago

@gilbarbara Would be great if you can merge #78 and release 0.8.0 to fix the above issue. Thank you very much!

trmpowell commented 3 years ago

In addition to the reported bug, there is a prototype pollution vulnerability in this package from tree-changes@0.5.1:

✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-NESTEDPROPERTY-1022154] in nested-property@1.0.1
    introduced by react-floater@0.7.3 > tree-changes@0.5.1 > nested-property@1.0.1
  This issue was fixed in versions: 3.0.0

Looks like the latest version of tree-changes no longer depends on nested-property.

It would be good to get #78 merged so other packages using react-floater can update and get this vulnerability fixed.

gilbarbara commented 3 years ago

Can you please try react-floater@next and report?

l1000074 commented 2 years ago

The #78 has a release date?

gilbarbara commented 2 years ago

@l1000074 Did you try the next package?

l1000074 commented 2 years ago

Hi, i have a problem with vulnerabilities in this package, i use react-joyride wich use react-floater ^0.7.3 wich use nested-property 1.0.1. I have install this next version however veracode alerts this vulnerability. Maybe i need react-joyride with this new version

aarjithn commented 2 years ago

Hi @l1000074, if you are using yarn, maybe you can set yarn resolution to next version

gilbarbara commented 2 years ago

Fixed in 0.8.0