node-fetch vulnerability, dependabot fix impossible

[rap2hpoutre]

Using the latest version of nivo, I have security errors on github:

It seems at least three packages are impacted.

@nivo/bar@0.67.0 requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1
@nivo/core@0.67.0 requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1
@nivo/line@0.67.0 requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1
@nivo/pie@0.67.0 requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1
The earliest fixed version is 2.6.1.

There is a main issue here: #884 but it seems it's not the same, since it's not a problem about React.createFactory.

[plouc]

I guess this issue is gonna be fixed for the pie package once we release a new version as I removed recompose, but migrating other packages is gonna take some time, bar and line are pretty complex, I'm not sure it can be fixed without getting rid of recompose completely and using hooks.

[wyze]

I am going to close this as duplicate of #884. The messaging isn't the same, but the root cause is. Once we remove recompose from the project, both of the issues will be fixed.

[G-Rath]

@wyze @plouc what about vendoring the functions being used from recompose as @nivo/recompose (or similar) as a quick fix?

Searching the codebase, these are all the uses:

nivo/packages on  master
❯ rg recompose  --no-line-number --no-filename | sort | uniq
import compose from 'recompose/compose'
import defaultProps from 'recompose/defaultProps'
import pure from 'recompose/pure'
import setDisplayName from 'recompose/setDisplayName'
import setPropTypes from 'recompose/setPropTypes'
import withProps from 'recompose/withProps'
import withPropsOnChange from 'recompose/withPropsOnChange'
import withState from 'recompose/withState'
import withStateHandlers from 'recompose/withStateHandlers'
import { compose } from 'recompose'

which are within these files:

bar/package.json
bar/src/Bar.js
bar/src/BarCanvas.js
bar/src/BarItem.js
bar/src/enhance.js
circle-packing/package.json
circle-packing/src/enhance.js
core/package.json
core/src/hocs/withCurve.js
core/src/hocs/withDimensions.js
core/src/hocs/withHierarchy.js
core/src/hocs/withMotion.js
core/src/hocs/withTheme.js
voronoi/package.json
voronoi/src/enhance.js
waffle/package.json
waffle/src/Waffle.js
waffle/src/WaffleCanvas.js
waffle/src/WaffleCell.js
waffle/src/WaffleCellHtml.js
waffle/src/WaffleHtml.js
waffle/src/enhance.js

I've looked into all of these functions, and they all seem to be using vanilla js to do their things (i.e so you wouldn't need to install external dependencies).

If you'd be happy to ship this as a short-term way to move off recompose, I'd be happy to put in the work doing the inlining; evening just beginning by doing the inlining in one package.

I'd love to help out with the typescript migration as well, but sadly I've got a lot on my plate right now so don't want to make promises I can't keep - I can easily make time for doing this inlining work as it directly impacts my ability to use this package both personally and for work since it would result in removing security vulnerabilities and let us use nivo in the first place (since npm@7 won't let us depend on it due to peer dependency conflicts caused by recompose aka #1450).

[wyze]

Sure, that would be fine. You can skip the circle-packing and voronoi packages as they have typescript PRs that removed recompose that I will be getting into the next release.