react-infinite-calendar icon indicating copy to clipboard operation
react-infinite-calendar copied to clipboard

Published 20 hours ago verified publisher icon clauderic

Security audit fails due to a dependency in recompose

Open SharpCoder opened this issue 3 years ago • 1 comments

When running a security audit:

npm audit --prod

A low-severity vulnerability is detected due to a dependency on recompose v0.22. The underlying issue is that recompose takes a dependency against fbjs which takes a dependency on an old version of node-fetch.

I poked around the recompose repo and it appears the risky dependency in question was removed in their latest version. If react-infinite-calendar were to upgrade the version of recompose, it would likely fix the vulnerability.

SharpCoder avatar Jul 01 '21 04:07 SharpCoder

For what it's worth, I don't think v0.30.0 resolves the security vulnerability. There is an actively maintained version of recompose called react-recompose which might do the trick.

That being said, I did find a local workaround. I use pnpm as my package manager, and adding this to my package.json file works to patch the audit.

{
    "pnpm": {
        "overrides": {
            "node-fetch": "^2.6.1"
        }
    }
}

SharpCoder avatar Jul 01 '21 13:07 SharpCoder