node-fetch vulnerability issue (denial of service)

[GuillaumeCisco]

I'm using recompose which is great! And in my opinion far more useful than hooks (sorry about that).

Laslty snyk reported that recompose has one of its dependency as vulnerable :
recompose@0.30.0 › fbjs@0.8.17 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3

node-fetch is an A light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

https://app.snyk.io/vuln/SNYK-JS-NODEFETCH-674311

What should we do for addressing this issue?
I see no occurrences of fbjs@0.8.17 in the package.json :/

[ridesz]

Hi, as I can see there was a commit to remove the fbjs related stuffs: 68c560b

But the latest version (v0.30.0) was released before the fbjs removement, so I think that a new release could fix this vulnerability. (If a new release is possible.)

[GuillaumeCisco]

Thank you @ridesz, yes that would be great!
What do you think @acdlite ?

[GuillaumeCisco]

Could we have an update on this? Or should we consider this project is dead?

[ishmarwaha]

I am looking for a fix as well.

[GuillaumeCisco]

This project seems totally dead...
What a pity, it was one of the great projet for react.

Hooks are destroying everything. I will never work with spaghetti code like hooks. This is such a regression, I don't even understand what facebook is doing... Code for kids?

Anyway, I will fork this project and create a new lib for being able to still work with clean and optimised code.

[gjgd]

Would love to have a fix for this as well.

[justin808]

If anybody wants to download a version of recompose with the packages updated, see:

https://github.com/shakacode/recompose
https://www.npmjs.com/package/@shakacode/recompose

I just updated the dependencies other than FBJS and FBJS is removed.