recompose icon indicating copy to clipboard operation
recompose copied to clipboard

Published 20 hours ago verified publisher icon acdlite

node-fetch vulnerability issue (denial of service)

Open GuillaumeCisco opened this issue 5 years ago • 8 comments

I'm using recompose which is great! And in my opinion far more useful than hooks (sorry about that).

Laslty snyk reported that recompose has one of its dependency as vulnerable : [email protected][email protected][email protected][email protected]

node-fetch is an A light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

https://app.snyk.io/vuln/SNYK-JS-NODEFETCH-674311

What should we do for addressing this issue? I see no occurrences of [email protected] in the package.json :/

GuillaumeCisco avatar Sep 16 '20 09:09 GuillaumeCisco

Hi, as I can see there was a commit to remove the fbjs related stuffs: https://github.com/acdlite/recompose/commit/68c560b216f2530796147bee07f45bf2b9bf0412

But the latest version (v0.30.0) was released before the fbjs removement, so I think that a new release could fix this vulnerability. (If a new release is possible.)

ridesz avatar Sep 16 '20 14:09 ridesz

Thank you @ridesz, yes that would be great! What do you think @acdlite ?

GuillaumeCisco avatar Sep 16 '20 14:09 GuillaumeCisco

Could we have an update on this? Or should we consider this project is dead?

GuillaumeCisco avatar Sep 23 '20 12:09 GuillaumeCisco

I am looking for a fix as well.

ishmarwaha avatar Oct 19 '20 22:10 ishmarwaha

This project seems totally dead... What a pity, it was one of the great projet for react.

Hooks are destroying everything. I will never work with spaghetti code like hooks. This is such a regression, I don't even understand what facebook is doing... Code for kids?

Anyway, I will fork this project and create a new lib for being able to still work with clean and optimised code.

GuillaumeCisco avatar Oct 20 '20 06:10 GuillaumeCisco

Would love to have a fix for this as well.

gjgd avatar Oct 28 '20 11:10 gjgd

If anybody wants to download a version of recompose with the packages updated, see:

https://github.com/shakacode/recompose https://www.npmjs.com/package/@shakacode/recompose

I just updated the dependencies other than FBJS and FBJS is removed.

justin808 avatar Nov 10 '20 23:11 justin808

@justin808 The NPM release of @shakacode/recompose seems to be missing a large number of files (e.g. pure.js) that are present in the GitHub sources and the upstream's NPM release, but not in the fork's release 🙁

vdh avatar Aug 25 '21 00:08 vdh