Giters

telus / tds-community

TELUS Design System Community Components

Home Page:https://tds.telus.com/community/index.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

a vulnerability CVE-2020-15168 is introduced in @tds/community-skeleton-provider

ayaka-kms opened this issue · comments

commented

Hi, a vulnerability CVE-2020-15168 is introduced in @tds/community-skeleton-provider via:
● @tds/community-skeleton-provider@2.2.0 ➔ recompose@0.30.0 ➔ fbjs@0.8.17 ➔ isomorphic-fetch@2.2.1 ➔ node-fetch@1.7.3

recompose is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated.
Is it possible to migrate recompose to other package to remediate this vulnerability?

I noticed several migration records for recompose in other js repos, such as

  1. in react-dnd, version 7.4.1 ➔ 7.4.2, remove recompose via commit
  2. in @nivo/legends, version 0.67.0 ➔ 0.68.0, remove recompose via commit

Are there any efforts planned that would remediate this vulnerability or migrate recompose?

Thanks
; )