When I install recompose, it keeps downloading as a dependency fbjs, which in turn brings as a dependency ua-parser-js, which has a Prototype Pollution vulnerability.

It's because the code on npmjs is different compared to the current code in the repo, which is not released.

https://github.com/acdlite/recompose/blob/master/src/packages/recompose/package.json

I found another public npm fork of this project which has been patched: https://www.npmjs.com/package/@shakacode/recompose

Bump on this - ua-parser-js has a critical vulnerability, it would be great to not have to worry about that coming in.