-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FBJS library causing vulnerability #397
Comments
It's not fbjs that's the problem. The problem is that glamor hasn't been updated in 5 years so it uses an old, deprecated version of fbjs that uses an old insecure version of node-fetch, and on top of that it uses [email protected] which is ancient at this point and has a serious flaw that can cause random slowdowns by a factor of 100 according to npm. It seems there's still a lot of people using this package. I don't understand why it hasn't been updated in so long. In order to fix these issues, someone would have to update the package. There are 230 forks. Maybe someone has an updated version. |
pinned version of FBJS library includes a version of isomorphic-fetch which has a dependency on node-fetch which is now vulnerable please move the pinned version of fbjs to a greater version.
please pin fbjs to a more recent release
The text was updated successfully, but these errors were encountered: