search

ioof-holdings / redux-subspace

Build decoupled, componentized Redux apps with a single global store
https://ioof-holdings.github.io/redux-subspace/
BSD 3-Clause "New" or "Revised" License
312 stars 33 forks source link

react-redux-subspace npm audit denial-of-service vulnerability in recompose/node-fetch #508

Closed Byron-Wall closed 3 years ago

Byron-Wall commented 3 years ago

NPM security audit has flagged react-redux-subspace as having a denial-of-service vulnerability in its' recompose dependency:

$ npm audit === npm audit security report === Low Denial of Service
Package node-fetch
Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9
Dependency of react-redux-subspace
Path react-redux-subspace > recompose > fbjs > isomorphic-fetch > node-fetch More info https://npmjs.com/advisories/1556

It appears that 'react-redux-subspace' is using recompose's 'wrapDisplayName' function as its only dependency. Since it does not look like recompose is currently being maintained, it looks as though 'wrapDisplayName' could be refactored into a hook/helper function, which would remove the need for recompose to be used as a dependency.

ie (quickly off the top of my head):

const createDisplaynameForWrappedComponent = (wrapperName, WrappedComponent) => {
   if( typeof WrappedComponent === "string" ) {
       return `${wrapperName}(${WrappedComponent})`;
    } else if ( WrappedComponent.displayName ) {
       return `${wrapperName}(${WrappedComponent.displayName})`;
    } else if ( WrappedComponent.name ) {
       return `${wrapperName}(${WrappedComponent.name})`;
    } else if (WrappedComponent){
       return `${wrapperName}(Component)`;
    } else {
      return undefined
    }
}
mpeyper commented 3 years ago

Happy to see a PR to remove the dependency.