theKashey
commented
1 year ago Are the security warnings related to the dependencies in react-focus-lock a concern?
I am not sure what do you call "security", but no, there is none
Have you addressed any known security issues in the forks of the other libraries that are included as dependencies?
No issues have been ever reported. I cannot address what does not exists? Also please note an important moment - these are not "forks of the other libraries" - these are feature-complete libraries with no reason to change.
Are there any steps I can take to mitigate any potential security risks?
I don't know any
Is there any other information you can provide that would be helpful in addressing these warnings?
I can understand how "unmaintained" library might become a problem, but I really don't have anything to change in these libraries and release new versions.
georgewrmarshall
Issue Summary
I'm seeing some security warnings related to dependencies in
react-focus-lock. Specifically, I'm seeing warnings from Socket Dev about dependencies that haven't been maintained in over a year. The dependencies in question are forks from other libraries that you authored. I wanted to reach out and get your thoughts on whether this is an issue and whether there are any steps I can take to address the warnings.Details
https://github.com/MetaMask/metamask-extension/pull/18979#issuecomment-1532501226
react-focus-lockversion:^2.9.4detect-node: Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.use-callback-ref: Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.use-sidecar: Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.Questions
react-focus-locka concern?Thanks
Thank you for your help and for creating such a useful library!