Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security audit fails due to a dependency in recompose #245

Open
SharpCoder opened this issue Jul 1, 2021 · 1 comment
Open

Security audit fails due to a dependency in recompose #245

SharpCoder opened this issue Jul 1, 2021 · 1 comment

Comments

@SharpCoder
Copy link

When running a security audit:

npm audit --prod

A low-severity vulnerability is detected due to a dependency on recompose v0.22. The underlying issue is that recompose takes a dependency against fbjs which takes a dependency on an old version of node-fetch.

I poked around the recompose repo and it appears the risky dependency in question was removed in their latest version. If react-infinite-calendar were to upgrade the version of recompose, it would likely fix the vulnerability.
@SharpCoder
Copy link
Author

For what it's worth, I don't think v0.30.0 resolves the security vulnerability. There is an actively maintained version of recompose called react-recompose which might do the trick.

That being said, I did find a local workaround. I use pnpm as my package manager, and adding this to my package.json file works to patch the audit.

{
    "pnpm": {
        "overrides": {
            "node-fetch": "^2.6.1"
        }
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SharpCoder