Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security vulnerability in create-react-context package
See original GitHub issueThere is the following security vulnerability reported by npm audit:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-live │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-live > create-react-context > fbjs > isomorphic-fetch │
│ │ > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I found that updating create-react-context to v0.3.0 should fix the problem. It looks like it is safe update, there were internal dependencies changes inside the package, but nothing critical to the functionality. Details: https://github.com/jamiebuilds/create-react-context/compare/v0.2.2...v0.3.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
create-react-context - npm Package Health Analysis - Snyk
The npm package create-react-context was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as...
Read more >Help, `npm audit` says I have a vulnerability in react-scripts!
npm audit says there's a warning about vulnerabilities in my project. Open package.json . You will find this: "dependencies": { "react": ...
Read more >React Security Vulnerabilities and How to Fix/Prevent Them
React security vulnerabilities are hard to detect. However, this article talks about the top 7 vulnerabilities and how to fix them to enjoy...
Read more >vulnerability when install react-scripts - Stack Overflow
If you are installing the latest version of react-scripts , it is very unlikely to be a problem. You should consider moving react-scripts ......
Read more >npm audit: Broken by Design - Overreacted
Create React App takes your JavaScript source code and converts it into a ... Verdict: this “vulnerability” is absurd in this context.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yeah I was honestly already thinking about that. We actually already introduced breaking changes in 2.0 that require React 16+ anyway; so there really isn’t much point polyfilling Context now…
Ditching it would be my preference. If people still need React 15.x support they can always keep using < 2.0…
@bkonkle Thank you for fixing it quickly! Do you plan to release the package soon?