Skip to content
This repository has been archived by the owner on Sep 10, 2022. It is now read-only.

fbjs dependency still present in lock file #825

Open
mmarchett opened this issue Feb 2, 2021 · 3 comments
Open

fbjs dependency still present in lock file #825

mmarchett opened this issue Feb 2, 2021 · 3 comments

Comments

@mmarchett
Copy link

When I install recompose, it keeps downloading as a dependency fbjs, which in turn brings as a dependency ua-parser-js, which has a Prototype Pollution vulnerability.
This was referenced Mar 12, 2021
Open
Merged
Merged
@DanielRuf
Copy link

It's because the code on npmjs is different compared to the current code in the repo, which is not released.

https://github.com/acdlite/recompose/blob/master/src/packages/recompose/package.json

@bdombro
Copy link

bdombro commented Oct 22, 2021

I found another public npm fork of this project which has been patched: https://www.npmjs.com/package/@shakacode/recompose

@joelzimmer
Copy link

Bump on this - ua-parser-js has a critical vulnerability, it would be great to not have to worry about that coming in.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joelzimmer @DanielRuf @bdombro @mmarchett