a vulnerability CVE-2020-15168 is introduced in contexture-react

[ayaka-kms]

Hi, @daedalus28, a vulnerability CVE-2020-15168 is introduced in contexture-react via:
● contexture-react@2.47.0 ➔ recompose@0.30.0 ➔ fbjs@0.8.17 ➔ isomorphic-fetch@2.2.1 ➔ node-fetch@1.7.3

recompose is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated.
Is it possible to migrate recompose to other package to remediate this vulnerability?

I noticed several migration records for recompose in other js repos, such as

1. in react-dnd, version 7.4.1 ➔ 7.4.2, remove recompose via commit
2. in @nivo/legends, version 0.67.0 ➔ 0.68.0, remove recompose via commit

Are there any efforts planned that would remediate this vulnerability or migrate recompose?

Thanks
; )

[daedalus28]

Thanks for the contribution here!

Our use of recompose is limited to defaultProps and setDisplayName, neither of which use node-fetch internally - so I don't think we're affected by this vulnerability. With that said, we'd be open to a PR that replaces these with a non legacy package.

@stellarhoof might have some thoughts here as I think we dealt with this on another project (spark).

[stellarhoof]

Yeah node-fetch is not used by us, although it's a transitive dependency. defaultProps and setDisplayName are trivial enough that we could simply have our wrappers and not depend on recompose, but this is likely to be very low priority.