Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FBJS library causing vulnerability #397

Open
bar350 opened this issue Feb 25, 2022 · 1 comment
Open

FBJS library causing vulnerability #397

bar350 opened this issue Feb 25, 2022 · 1 comment

Comments

@bar350
Copy link

bar350 commented Feb 25, 2022

pinned version of FBJS library includes a version of isomorphic-fetch which has a dependency on node-fetch which is now vulnerable please move the pinned version of fbjs to a greater version.

please pin fbjs to a more recent release

@JeffMII
Copy link

JeffMII commented Apr 30, 2022

It's not fbjs that's the problem. The problem is that glamor hasn't been updated in 5 years so it uses an old, deprecated version of fbjs that uses an old insecure version of node-fetch, and on top of that it uses [email protected] which is ancient at this point and has a serious flaw that can cause random slowdowns by a factor of 100 according to npm. It seems there's still a lot of people using this package. I don't understand why it hasn't been updated in so long. In order to fix these issues, someone would have to update the package. There are 230 forks. Maybe someone has an updated version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants