recompose icon indicating copy to clipboard operation
recompose copied to clipboard
verified publisher icon acdlite

fbjs dependency still present in lock file

Open mmarchett opened this issue 5 years ago • 3 comments

When I install recompose, it keeps downloading as a dependency fbjs, which in turn brings as a dependency ua-parser-js, which has a Prototype Pollution vulnerability.

mmarchett avatar Feb 02 '21 19:02 mmarchett

It's because the code on npmjs is different compared to the current code in the repo, which is not released.

https://github.com/acdlite/recompose/blob/master/src/packages/recompose/package.json

DanielRuf avatar Jun 24 '21 12:06 DanielRuf

I found another public npm fork of this project which has been patched: https://www.npmjs.com/package/@shakacode/recompose

bdombro avatar Oct 22 '21 20:10 bdombro

Bump on this - ua-parser-js has a critical vulnerability, it would be great to not have to worry about that coming in.

joelzimmer avatar Oct 25 '21 21:10 joelzimmer