search

threepointone / glamor

inline css for react et al
MIT License
3.66k stars 199 forks source link

FBJS library causing vulnerability #397

Open bar350 opened 2 years ago

bar350 commented 2 years ago

pinned version of FBJS library includes a version of isomorphic-fetch which has a dependency on node-fetch which is now vulnerable please move the pinned version of fbjs to a greater version.

please pin fbjs to a more recent release

JeffMII commented 2 years ago

It's not fbjs that's the problem. The problem is that glamor hasn't been updated in 5 years so it uses an old, deprecated version of fbjs that uses an old insecure version of node-fetch, and on top of that it uses core-js@1.2.7 which is ancient at this point and has a serious flaw that can cause random slowdowns by a factor of 100 according to npm. It seems there's still a lot of people using this package. I don't understand why it hasn't been updated in so long. In order to fix these issues, someone would have to update the package. There are 230 forks. Maybe someone has an updated version.