create-react-class has vulnerable pkg dependencies

[carystanley]

The latest package of create-react-class pulls in an older version of fbjs which pulls in dependencies that have vulnerabilities.

create-react-class@15.6.3 > fbjs@0.8.17 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3 – SNYK#SNYK-JS-NODEFETCH-674311 Denial of Service. retire create-react-class, which is vulnerable and unmaintained for >1 yr

React version:
create-react-class@15.6.3

[gaearon]

Thanks for your concern. As you can see, there's no actual vulnerability affecting create-react-class here, but the transitive dep is unfortunate. I think isomorphic-fetch is in the best position to solve it by cutting a 2.x patch though and we're probably not the only downstream consumer that would need this.

[carystanley]

Could a new release of create-react-class be made with an updated fbjs, if a isomorphic-fetch 2.x patch is not made?

[redonkulus]

@gaearon Looks like a new major version of isomorphic fetch was released . Can fbjs and this library be updated to use it?

[redonkulus]

I created an issue there facebook/fbjs#402

[gaearon]

Looks like a new major version of isomorphic fetch was released

Yes, and as I've said:

I think isomorphic-fetch is in the best position to solve it by cutting a 2.x patch

We need a patch, not a major version.

[gaearon]

Again, just to be clear, we are not talking about an actual vulnerability. This is a false positive for create-react-class.

If this were an actual vulnerability, it would be a high priority to figure out and fix asap.

But since this is a false positive for create-react-class, ideally it would be resolved at the ecosystem level by cutting a patch. Since isomorphic-fetch is the direct dependent, it makes sense for them to cut that patch, rather than for everyone downstream to work around it.

[carystanley]

Seems like it would be good practice to have create-react-class update its fbjs dependency, since its on such an old version fbjs@0.8.17

Also seems like newer react uses "shared" to get dependencies like invariant instead of using fbjs https://github.com/facebook/react/blob/master/packages/shared/invariant.js this seems like a better approach.

[imjordanxd]

Any update on this?

[carystanley]

The "ecosystem" is not fixing this, a new build of create-react-class needs to be made to resolve this, one that isn't dependent on the old version of fbjs@0.8.17

[gaearon]

I've suggested earlier that isomorphic-fetch is best positioned to fix this. Have you been in contact with their maintainer?

[redonkulus]

@gaearon on the specific reason why a major version was released was because of upstream dependencies on isomorphic-fetch:

It has been published at v3.0.0 as the underlying dependencies (node-fetch and the fetch browser polyfill) have been pulled from new major versions.

the author was being safe to not break consumers. which means create-react-class and fbjs would need to do the same. unless you can come up with a compelling reason for isomorphic-fetch to potentially break users with a patch version?

[imjordanxd]

Thanks, guys! Unfortunately, I'm using a package that depends on create-react-class, but it seems to have been abandoned. I'm considering forking the package and uplifting what I need from it. Is there a codemod available to migrate existing create-react-class code?

[gaearon]

@redonkulus

I’m afraid I don’t understand the argument. I am not proposing to break anyone in a patch.

Somewhere at the edge, there was a vulnerability. Which package was this? And which release was the vulnerability fixed in?

If the initial vulnerability source only released a major version, that’s a problem. While it’s not always possible, ideally (especially for a small fix) it should be backported as a patch. Precisely so that people can get the fixed version without risking a major upgrade.

I’d like to better understand what happened here. Can you help me find which package initially patched the vulnerability? Then we can look if it was intentionally not released in the patch form, and why.

[gaearon]

Yes there is a codemod. npx react-codemod class .

[imjordanxd]

Thanks, @gaearon. Much appreciated!

[carystanley]

@gaearon maybe you can talk to @matthew-andrews on this thread: matthew-andrews/isomorphic-fetch#189 I have asked him to do a patch release but there has been no update

[gaearon]

All right, I put out create-react-class@15.7.0 which removes the fbjs dependency and hopefully puts this issue to rest.

[carystanley]

Thanks @gaearon!!!

[gaearon]

Can you verify it works? I did it by hand.

[carystanley]

@Gaeron of course the vuln warning is gone now that fbjs is not a dependency, and as far as I can tell create-react-class is working as it should. Feels much cleaner not to be coupled to that outdated version of fbjs. Thanks again! 😄