Comments (12)
I have mixed feelings about this:
- It seems like a pretty big stretch to claim that React is "vulnerable to supply chain attacks" because of the existence of one particular dependency. Why wouldn't that be the case for every dependency on NPM ever? That's an awfully hypothetical situation.
- Agreed that the fact that the package hasn't been updated for a number of years is in one sense something to think about, but it's also a tooling-related package that has no reason to change at all anyway
- That said, we dropped
loose-envify
from Redux a while back, per reduxjs/redux#3567 (although we are just now getting ready to release that in a new major version). It was designed for Browserify users to help that tool do search-and-replace onprocess.env.NODE_ENV
when used to build an app that used a given library like React. Browserify is rarely used today, and that should really be an app-level configuration concern. (Related, see #9641 where this was added to some of the addon packages)
So, I disagree with the security reasoning, but I agree that React shouldn't list loose-envify
as a dependency because it's not useful any more.
from react.
Also, since npm has started to require two-factor auth for publishing popular packages, a token stolen by a virus does not pose a significant threat of a supply-chain attack.
from react.
Closed in #28480
from react.
Why wouldn't that be the case for every dependency on NPM ever
It is the case. That’s why there supply chain attacks are so effective in js: of popularity of version ranges and the fact ppl blindly update their dependencies to every new version.
Consider a simple scenario: the persons npm token is leaked by virus and 1.1.1 is published; with the ability to steal other peoples npm tokens. Would a simple locking to 1.1.0 mitigate this? Sure.
There are other ways to make packages resilient. For example, with ethereum-cryptography package, the dependency state is locked down, there have been an audit. Every time a dependency bump is done, it is reviewed by at least one other person, we check version diff, etc. It is not possible for packages such as typescript, but there are few of these. Moreover, the recent rewrite, reduced the amount of authors who can publish a sub-dependency update from 33 to just 1.
from react.
@paulmillr : yeah, I follow that. My question is more about why it's worth singling out one dep here in this repo specifically. What makes this situation special?
again, to be clear, I do support removing loose-envify
as a dep entirely, but for non-security related reasons. I just don't understand the urgency for filing a security-claim issue about one random dep.
from react.
Has anyone looked into how it's actually used? I believe we only have it to support browserify, so if you don't run browserify, the code in the package isn't executed, right? Should it be moved to a dev dependency anyway?
from react.
@rickhanlonii : yeah, it's purely a Browserify thing.
If you intend it to be used, it has to be listed as a dependency as far as I know. I think the intended usage sequence is:
- User installs
react
, which drags alongloose-envify
as a dep so it's available - Browserify tries to build the app
- Browserify looks at
react
'spackage.json
, sees the transforms section, pulls inloose-envify
, and automatically uses that as part of its transformation process
So, moving it to a dev dep breaks that, because installing react
wouldn't automatically install loose-envify
too.
My take is that this is not React's job at this point. It's up to the user to configure their own build tool properly. (And doubly so given that Browserify is a relatively legacy build tool today.)
from react.
@markerikson a person in other repo randomly told me “even react does this”, then i’ve did the researched and while it seemed like the dep is not really up-to-date, or “not devdep”, i’ve opened the issue.
from react.
Also, since npm has started to require two-factor auth for publishing popular packages, a token stolen by a virus does not pose a significant threat of a supply-chain attack.
I don’t believe this mitigates the risk. They just enforced 2fa for auth. Not for publish — otherwise CI publish tokens would have stopped working. I have published popular packages through CI recently, all is fine. Tokens can still be stolen.
from react.
Removing loose-envify
makes a lot sense to me:
- Browserify downward trend: https://npm-stat.com/charts.html?package=browserify&from=2022-02-24&to=2024-02-24.
It's at about 5% of the downloads of React today. When this dependency was introduced in 2016 ecf824c, it was a much different landscape: https://npm-stat.com/charts.html?package=browserify&package=react&from=2015-02-24&to=2017-02-24, Browserify had more downloads than React.
-
Slow down a bit the installation process of React https://packagephobia.com/result?p=loose-envify
-
Could look cleaner: https://npm.anvaka.com/#/view/2d/react
react-is
would need to have the dependency to make https://unpkg.com/browse/[email protected]/index.js work
from react.
@oliviertassinari not sure what you mean with the "react-is
would need this" comment. That's the exact same dev-vs-prod import idiom that react
and react-dom
already use:
and bundlers already handle NODE_ENV
as an idiom indicating dev vs prod.
from react.
@markerikson I would expect react-is
to reproduce the loose-envify setup than react has:
"browserify": {
"transform": [
"loose-envify"
]
}
Otherwise, the benefit is limited to have it in react in the first place.
from react.
Related Issues (20)
- Bug: Search functionality not working correctly on react.dev in Safari on iOS real device (iPhone 12 Pro) HOT 2
- Bug:
- Google Translate causing "Text content does not match server-rendered HTML" HOT 1
- Bug: useFormState formAction becomes null in strict mode HOT 1
- Bug: Source is not showing in 5.0.2 HOT 9
- Question and suggest: The official identifier of Server Compnoent and Client Component HOT 3
- Bug: when installing the application, the old version of "react-scripts" is installed HOT 1
- Bug: Uncaught DOMException: Failed to set the 'value' property on 'HTMLInputElement': This input element accepts a filename, which may only be programmatically set to the empty string. HOT 4
- Bug: optimistic state (useOptimistic) shows both optimistic and returned from server data when running several async actions HOT 6
- [DevTools Bug]: React Profiler reports higher hook numbers than shown in Components HOT 2
- about the react performance (how to improve it) HOT 3
- Bug: use() hook HOT 4
- Bug: Flight (RSC) examples are not accessible HOT 1
- useMemo reruns when the dependencies not changed when memoised value is a fn HOT 3
- Bug: [Flight] Async server components in `ai/rsc` not rendered correctly HOT 1
- Bug: React Dev tools extension showing wrong source file path on inspection HOT 4
- Bug: Using the hook useDeferredValue - Suspense fallback didn't show the contents HOT 4
- Bug: react-intl formatMessage cannot format message with param that neat by Single quotation mark HOT 3
- custom use directives + using closure serializer
- In react fiber, is didReceiveUpdate related to dirty checking?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react.