jotai-devtools icon indicating copy to clipboard operation
jotai-devtools copied to clipboard
verified publisher icon jotaijs

Vulnerability in `jsondiffpatch`

Open kachkaev opened this issue 3 months ago • 3 comments

See https://github.com/advisories/GHSA-33vc-wfww-vjfv

jotai-devtools refers to 0.5.x: https://github.com/jotaijs/jotai-devtools/blob/ea6cac09c880ff0a22aecbaad15ccf80c80f7e29/package.json#L173

It'd be great if jsondiffpatch was upgraded to 0.7.2+, even if the vulnerability is a false-positive. Otherwise, GitHub spams developers with security alerts which are based on the contents of the lockfile.

kachkaev avatar Sep 16 '25 11:09 kachkaev

Thanks a lot for reporting this! jsondiffpatch@>=0.5.0 is ESM only, it'll cause issues with our current setup where we support both CJS and ESM builds for jotai-devtools

I’ll look into adding an ESM compatible wrapper (or externalize the dependency) so we can keep CJS support for now (could also use a contribution here)

That said, this might be a good signal that it's time to consider phasing out CJS support in jotai-devtools 😟

arjunvegda avatar Sep 17 '25 17:09 arjunvegda

Yeah jsondiffpatch is ESM only since 0.6.0. It was released in December 2023 which is almost two years ago. The transition from CJS to ESM has been going on for quite a while now and I believe that most bundlers already know how to handle ESM-only deps.

Dropping CJS could be worth a shot given the vulnerability and how far the community got with the ESM migration. If there is a strong pushback from the users, you can release another 0.x.0 that brings back CJS and works around jsondiffpatch one way or another.

An ESM-only jotai-devtools package can work as a litmus paper for jotai. If there is no pushback for a few months, this can mean that jotai can be also made ESM-only.

kachkaev avatar Sep 18 '25 13:09 kachkaev

+1 to fix jsondiffpatch vulnerability. It would be appreciated :)

jeannnemelanie avatar Oct 08 '25 19:10 jeannnemelanie