Security vulnerability in create-react-context package

[qooban]

There is the following security vulnerability reported by npm audit:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-live                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-live > create-react-context > fbjs > isomorphic-fetch  │
│               │ > node-fetch                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I found that updating create-react-context to v0.3.0 should fix the problem. It looks like it is safe update, there were internal dependencies changes inside the package, but nothing critical to the functionality. Details: jamiebuilds/create-react-context@v0.2.2...v0.3.0

[bkonkle]

@qooban Thanks for the heads-up! I updated create-react-context and ran an audit to see if there were any more cases of the node-fetch vulnerability.

There are two more hits, in @storybook/react and @storybook/addon-knobs. I tried to update, but we're a few major versions behind on Storybook so the task was more involved than I expected. These are devDependencies, however, so they shouldn't impact any usages of react-live in production.

[kitten]

@bkonkle: If @jpdriver is fine with cutting a major release with maybe some API changes we could consider dropping the polyfill altogether maybe

[jpdriver]

Yeah I was honestly already thinking about that. We actually already introduced breaking changes in 2.0 that require React 16+ anyway; so there really isn't much point polyfilling Context now..

Ditching it would be my preference. If people still need React 15.x support they can always keep using < 2.0..

[bkonkle]

I pulled out the polyfill in #225. Thanks!

[qooban]

@bkonkle Thank you for fixing it quickly! Do you plan to release the package soon?