search

ryandrewjohnson / react-localize-redux

Dead simple localization for your React components
https://ryandrewjohnson.github.io/react-localize-redux-docs/
MIT License
374 stars 88 forks source link

Denial of Service Node Fetch #209

Closed erwanriou closed 1 year ago

erwanriou commented 4 years ago

Hello,

Just to inform that we currently have a small issue in one of the dependencies. https://npmjs.com/advisories/1556

s100 commented 3 years ago

That advisory comes from node-fetch, which is used by isomorphic-fetch, which is used by fbjs, which is used by create-react-context@0.2.3, which is used by react-localize-redux. create-react-context stopped using fbjs entirely in create-react-context@0.3.0, which was released several years ago. So, all react-localize-redux needs to do is upgrade to create-react-context@0.3.0.

There is a PR open to do this but despite being essentially a one-line change it has been open since November 2020 with no activity. And there has not been a new release of react-localize-redux for more than two years.

In other words it doesn't look like this is going to be fixed. Our options are to either manually ignore the advisory or stop using react-localize-redux.