Comments (10)
To resolve the issue with create-react-class
the pkg isomorphic-fetch
would need to be updated as a patch release [email protected]
[email protected] > [email protected] > [email protected] > [email protected] – SNYK#SNYK-JS-NODEFETCH-674311 Denial of Service. retire create-react-class, which is vulnerable and unmaintained for >1 yr
from fbjs.
We also have security notification for this package in dependable packages. Is it planned to be fixed?
from fbjs.
I have this same security vulnerability via several relay packages, react-relay
, relay-compiler
, and relay-runtime
. Any updates on this?
from fbjs.
Any updates on this?
from fbjs.
We still have an outstanding security notification for this package, is it being looked at?
from fbjs.
I am looking for an update, too.
from fbjs.
Also interesting, where is the v3.0.0 release here on GitHub?
from fbjs.
The README for this package says,
Note: If you are consuming the code here and you are not also a Facebook project, be prepared for a bad time. APIs may appear or disappear and we may not follow semver strictly, though we will do our best to. This library is being published with our use cases in mind and is not necessarily meant to be consumed by the broader public. In order for us to move fast and ship projects like React and Relay, we've made the decision to not support everybody. We probably won't take your feature requests unless they align with our needs. There will be overlap in functionality here and in other open source projects.
Among other things this explains the lack of activity in this issue and the omission of a v3.0.0 release/tag. I don't know how many folks in this thread who need this fix are other Facebook projects, but as a general suggestion it might be more expedient to stop using fbjs
entirely rather than wait for this to be resolved.
from fbjs.
the omission of a v3.0.0 release/tag
I guess this was just forgotten by @cpojer. Besides this, react, relay, create-react-class and so on are projects which are created and maintained by Facebook.
https://www.npmjs.com/package/create-react-class
https://www.npmjs.com/package/react-relay
Similar case for recompose (https://github.com/acdlite/recompose, not sure why this is hosted on a personal GH page instead of an org) which is actively maintained and developed by one of the React core devs who works at Facebook ;-)
So
as a general suggestion it might be more expedient to stop using fbjs entirely rather than wait for this to be resolved.
Tell that the maintainers of the mentioned packages (who seem to work at / for Facebook) ;-)
I see no mention of projects / packages here which are not from Facebook.
from fbjs.
isn't this fixed by 16620e3 which is in [email protected]? i must be missing something because that was released several months before this was filed. :)
from fbjs.
Related Issues (20)
- Add CI check to ensure lockfiles up to date
- CVE-2017-16086 found in ua-parser.js HOT 2
- ua-parser-js to fix Regular Expression Denial Of Service (ReDoS) HOT 1
- areEqual doesn't support objects with null prototypes
- Got error "Cannot destructure property 'instrument' of 'options' as it is undefined" when using with jest:27.0.4 HOT 2
- missing v3.0.0 relase and tag HOT 1
- ua-parser-js Dependency Security vulnerability HOT 1
- 'instrument' required, then optional? Resulting in `TypeError: Cannot destructure property 'instrument' of 'options' as it is undefined.`
- fbjs > [email protected]: this package has been hijacked HOT 1
- [security-update] Update ua-parser-js dependency in fbjs HOT 1
- "ua-parser-js": "0.7.30" have a wrong HOT 3
- Security vulnerability with cross-fetch in fbjs HOT 3
- ChainAlert: new npm maintainer has published version 3.0.3 of package fbjs HOT 3
- Git.io deprecation notice
- upgrade core-js version HOT 1
- ua-parser-js ReDoS Vulnerability HOT 1
- nullthrows has either bad condition or bad error message HOT 1
- Analysis: 100% of dependency updates in this repository can be merged.
- Deprecated babel plugins HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fbjs.