lock icon indicating copy to clipboard operation
lock copied to clipboard

Published 20 hours ago verified publisher icon auth0

Update react dependency

Open BastienLedon opened this issue 3 years ago • 6 comments

Hello,

Describe the problem

auth0-lock package needs react v15, it's an issue by itself cause it wasn't updated since 2017, but it use core-js v1 wich creates a performance issue.

core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled.

What was the expected behavior?

Updated dependencies

Thank you in advance :)

BastienLedon avatar Dec 27 '21 14:12 BastienLedon

Thanks for your patience here @BastienLedon. This is a topic that recurs so let me open up that conversation internally again. The core-js@1 angle is interesting and potentially worth investigating.

stevehobbsdev avatar Jan 10 '22 15:01 stevehobbsdev

Hi ! Any update on this ? This is a big problem as not only it uses an outdated version of react but it means it loads a second renderer if you are not using this version so your application ends up with running multiple versions of react at the same time.

This library is great, would love to see it fixed.

Cheers

Camsteack avatar Feb 01 '22 16:02 Camsteack

This is causing security vulnerability, react-dom@15 depends on node-fetch, which is similar to https://github.com/auth0/lock/pull/2088

https://deps.dev/npm/auth0-lock

zcui-coremont avatar Feb 04 '22 12:02 zcui-coremont

Thanks @zcui-coremont, it has been noted and we are currently working out a path forward. Will keep you posted.

stevehobbsdev avatar Feb 04 '22 13:02 stevehobbsdev

@Camsteack Regarding the multiple versions of React, this is something we'd like to be able to fix but is a tricky one. The obvious one would be to make react a peer dependency but that doesn't work out great for those users pulling this library into something that doesn't use React. Given that, even an upgrade might likely mean you'd still be using two different versions. However, great to hear feedback in this area.

stevehobbsdev avatar Feb 04 '22 13:02 stevehobbsdev

Any progress on this from a security point of view? React 15 is now 6 years old!

If people are still using older versions of react, then can't they stay on an older version of auth0-lock also?

Another suggestion could be to have a generic auth0-lock package without the react dependency, then a auth-lock-react package? Would love to be able to get rid of the "high" seurity warnings across the board on our apps using this library.

marcqualie avatar Jul 20 '22 13:07 marcqualie

Hi all,

Just to let you know that we will be providing an update to React in the coming weeks. We're busy on other internal initiatives at this moment in time but I will be focussing on this once they are out of the way. There'll be a very short discovery phase where we'll plan out how the update will happen, and where I also want to answer questions like how we can support any version of React by, for example, providing a second package that allows you to bring your own version.

Hopefully you can appreciate that it's a tricky update given that this component is also used internally within our Universal Login feature so a couple of teams have to be pulled in to ensure we continue to deliver a robust experience and are not inadvertently causing any regressions.

I'll close this for now but happy to continue the discussion. Rest assured it's being dealt with soon.

stevehobbsdev avatar Aug 19 '22 10:08 stevehobbsdev

👋🏻 We now have a v12 beta version that includes an upgrade to React 18 - please see this issue and let us know what you think, or if you encounter any problems!

stevehobbsdev avatar Dec 23 '22 12:12 stevehobbsdev