React: create-react-class has vulnerable pkg dependencies
The latest package of create-react-class pulls in an older version of fbjs which pulls in dependencies that have vulnerabilities.
[email protected] > [email protected] > [email protected] > [email protected] – SNYK#SNYK-JS-NODEFETCH-674311 Denial of Service. retire create-react-class, which is vulnerable and unmaintained for >1 yr
React version:
[email protected]
carystanley
All 20 comments
Thanks for your concern. As you can see, there's no actual vulnerability affecting create-react-class here, but the transitive dep is unfortunate. I think isomorphic-fetch is in the best position to solve it by cutting a 2.x patch though and we're probably not the only downstream consumer that would need this.
gaearon
on 18 Sep 2020
Could a new release of create-react-class be made with an updated fbjs, if a isomorphic-fetch 2.x patch is not made?
carystanley
on 22 Sep 2020
@gaearon Looks like a new major version of isomorphic fetch was released . Can fbjs and this library be updated to use it?
redonkulus
on 23 Sep 2020
I created an issue there https://github.com/facebook/fbjs/issues/402
redonkulus
on 23 Sep 2020
Looks like a new major version of isomorphic fetch was released
Yes, and as I've said:
I think isomorphic-fetch is in the best position to solve it by cutting a 2.x patch
We need a patch, not a major version.
gaearon
on 23 Sep 2020
Again, just to be clear, we are not talking about an actual vulnerability. This is a false positive for create-react-class.
If this were an actual vulnerability, it would be a high priority to figure out and fix asap.
But since this is a false positive for create-react-class, ideally it would be resolved at the ecosystem level by cutting a patch. Since isomorphic-fetch is the direct dependent, it makes sense for them to cut that patch, rather than for everyone downstream to work around it.
gaearon
on 23 Sep 2020
Seems like it would be good practice to have create-react-class update its fbjs dependency, since its on such an old version [email protected]
Also seems like newer react uses "shared" to get dependencies like invariant instead of using fbjs https://github.com/facebook/react/blob/master/packages/shared/invariant.js this seems like a better approach.
carystanley
on 24 Sep 2020
Any update on this?
imjordanxd
on 13 Oct 2020
The "ecosystem" is not fixing this, a new build of create-react-class needs to be made to resolve this, one that isn't dependent on the old version of [email protected]
carystanley
on 14 Oct 2020
I've suggested earlier that isomorphic-fetch is best positioned to fix this. Have you been in contact with their maintainer?
gaearon
on 14 Oct 2020
@gaearon on the specific reason why a major version was released was because of upstream dependencies on isomorphic-fetch:
It has been published at v3.0.0 as the underlying dependencies (node-fetch and the fetch browser polyfill) have been pulled from new major versions.
the author was being safe to not break consumers. which means create-react-class and fbjs would need to do the same. unless you can come up with a compelling reason for isomorphic-fetch to potentially break users with a patch version?
redonkulus
on 14 Oct 2020
Thanks, guys! Unfortunately, I'm using a package that depends on create-react-class, but it seems to have been abandoned. I'm considering forking the package and uplifting what I need from it. Is there a codemod available to migrate existing create-react-class code?
imjordanxd
on 14 Oct 2020
@redonkulus
I’m afraid I don’t understand the argument. I am not proposing to break anyone in a patch.
Somewhere at the edge, there was a vulnerability. Which package was this? And which release was the vulnerability fixed in?
If the initial vulnerability source only released a major version, that’s a problem. While it’s not always possible, ideally (especially for a small fix) it should be backported as a patch. Precisely so that people can get the fixed version without risking a major upgrade.
I’d like to better understand what happened here. Can you help me find which package initially patched the vulnerability? Then we can look if it was intentionally not released in the patch form, and why.
gaearon
on 14 Oct 2020
Yes there is a codemod. npx react-codemod class .
gaearon
on 14 Oct 2020
Thanks, @gaearon. Much appreciated!
imjordanxd
on 14 Oct 2020
@gaearon maybe you can talk to @matthew-andrews on this thread: https://github.com/matthew-andrews/isomorphic-fetch/pull/189 I have asked him to do a patch release but there has been no update
carystanley
on 15 Oct 2020
All right, I put out [email protected] which removes the fbjs dependency and hopefully puts this issue to rest.
gaearon
on 16 Oct 2020
Thanks @gaearon!!!
carystanley
on 16 Oct 2020
Can you verify it works? I did it by hand.
gaearon
on 16 Oct 2020
@gaeron of course the vuln warning is gone now that fbjs is not a dependency, and as far as I can tell create-react-class is working as it should. Feels much cleaner not to be coupled to that outdated version of fbjs. Thanks again! 😄
carystanley
on 16 Oct 2020
Related issues
zpao
·
3Comments
UnbearableBear
·
3Comments
varghesep
·
3Comments
h1orz
·
3Comments
jvorcak
·
3Comments
Most helpful comment
All right, I put out
[email protected]which removes thefbjsdependency and hopefully puts this issue to rest.