react-infinite-calendar
react-infinite-calendar copied to clipboard
Security audit fails due to a dependency in recompose
When running a security audit:
npm audit --prod
A low-severity vulnerability is detected due to a dependency on recompose v0.22. The underlying issue is that recompose takes a dependency against fbjs which takes a dependency on an old version of node-fetch.
I poked around the recompose repo and it appears the risky dependency in question was removed in their latest version. If react-infinite-calendar were to upgrade the version of recompose, it would likely fix the vulnerability.
For what it's worth, I don't think v0.30.0 resolves the security vulnerability. There is an actively maintained version of recompose called react-recompose
which might do the trick.
That being said, I did find a local workaround. I use pnpm as my package manager, and adding this to my package.json file works to patch the audit.
{
"pnpm": {
"overrides": {
"node-fetch": "^2.6.1"
}
}
}