Skip to content
This repository has been archived by the owner on Sep 10, 2022. It is now read-only.

node-fetch vulnerability issue (denial of service) #817

Open
GuillaumeCisco opened this issue Sep 16, 2020 · 8 comments
Open

node-fetch vulnerability issue (denial of service) #817

GuillaumeCisco opened this issue Sep 16, 2020 · 8 comments

Comments

@GuillaumeCisco
Copy link

I'm using recompose which is great! And in my opinion far more useful than hooks (sorry about that).

Laslty snyk reported that recompose has one of its dependency as vulnerable :
recompose@0.30.0 › fbjs@0.8.17 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3

node-fetch is an A light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

https://app.snyk.io/vuln/SNYK-JS-NODEFETCH-674311

What should we do for addressing this issue?
I see no occurrences of fbjs@0.8.17 in the package.json :/
@ridesz
Copy link

ridesz commented Sep 16, 2020

Hi, as I can see there was a commit to remove the fbjs related stuffs: 68c560b

But the latest version (v0.30.0) was released before the fbjs removement, so I think that a new release could fix this vulnerability. (If a new release is possible.)

@GuillaumeCisco
Copy link
Author

Thank you @ridesz, yes that would be great!
What do you think @acdlite ?

@GuillaumeCisco
Copy link
Author

Could we have an update on this? Or should we consider this project is dead?

@ishmarwaha
Copy link

I am looking for a fix as well.

@GuillaumeCisco
Copy link
Author

This project seems totally dead...
What a pity, it was one of the great projet for react.

Hooks are destroying everything. I will never work with spaghetti code like hooks. This is such a regression, I don't even understand what facebook is doing... Code for kids?

Anyway, I will fork this project and create a new lib for being able to still work with clean and optimised code.

@gjgd
Copy link

gjgd commented Oct 28, 2020

Would love to have a fix for this as well.

@gjgd gjgd mentioned this issue Oct 28, 2020
Closed
@justin808
Copy link

If anybody wants to download a version of recompose with the packages updated, see:

https://github.com/shakacode/recompose
https://www.npmjs.com/package/@shakacode/recompose

I just updated the dependencies other than FBJS and FBJS is removed.

emettely pushed a commit to bbc/digital-paper-edit-firebase that referenced this issue Mar 1, 2021
[refactor] Resolve some security issue acdlite/recompose#817
4e91177
emettely added a commit to bbc/digital-paper-edit-firebase that referenced this issue Mar 2, 2021
@emettely
[feat] update export for ADL with form using formik (#162)
da49ba0 
* [feat] update export for ADL with form using formik

* [refactor] Resolve some security issue acdlite/recompose#817

* [fix] security issues

* Updating package lock

* [fix] remove babel jest

* Update import to the security fixed recompose

* [fix] unused variables prevents build

* Update functions deps
This was referenced Mar 12, 2021
Open
Merged
Merged
@SimonFinney SimonFinney mentioned this issue Mar 18, 2021
Closed
@rap2hpoutre rap2hpoutre mentioned this issue Apr 15, 2021
Closed
11 tasks
@vdh
Copy link

vdh commented Aug 25, 2021

@justin808 The NPM release of @shakacode/recompose seems to be missing a large number of files (e.g. pure.js) that are present in the GitHub sources and the upstream's NPM release, but not in the fork's release 🙁

@SevenOutman SevenOutman mentioned this issue Aug 31, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vdh @justin808 @GuillaumeCisco @gjgd @ishmarwaha @ridesz