Recompose: node-fetch vulnerability issue (denial of service)

Created on 16 Sep 2020 · 7Comments · Source: acdlite/recompose

I'm using recompose which is great! And in my opinion far more useful than hooks (sorry about that).

Laslty snyk reported that recompose has one of its dependency as vulnerable :
[email protected] › [email protected] › [email protected] › [email protected]

node-fetch is an A light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

https://app.snyk.io/vuln/SNYK-JS-NODEFETCH-674311

What should we do for addressing this issue?
I see no occurrences of [email protected] in the package.json :/

Source

GuillaumeCisco

👍9

All 7 comments

Hi, as I can see there was a commit to remove the fbjs related stuffs: https://github.com/acdlite/recompose/commit/68c560b216f2530796147bee07f45bf2b9bf0412

But the latest version (v0.30.0) was released before the fbjs removement, so I think that a new release could fix this vulnerability. (If a new release is possible.)

ridesz on 16 Sep 2020

Thank you @ridesz, yes that would be great!
What do you think @acdlite ?

GuillaumeCisco on 16 Sep 2020

Could we have an update on this? Or should we consider this project is dead?

GuillaumeCisco on 23 Sep 2020

😕10

I am looking for a fix as well.

ishmarwaha on 20 Oct 2020

This project seems totally dead...
What a pity, it was one of the great projet for react.

Hooks are destroying everything. I will never work with spaghetti code like hooks. This is such a regression, I don't even understand what facebook is doing... Code for kids?

Anyway, I will fork this project and create a new lib for being able to still work with clean and optimised code.

GuillaumeCisco on 20 Oct 2020

Would love to have a fix for this as well.