Hacker News new | ask | show | jobs
by dane-pgp 2143 days ago
> the biggest challenge in the JavaScript community was how fast everything moved

If you don't like things moving too fast, then React does seem to be the ideal ecosystem:

https://github.com/facebook/create-react-app/issues/9033#iss...

TL;DR A vulnerability was discovered in a transitive dependency of "create-react-app" and announced back in March, but the one line patch to update the hard-coded reference to the vulnerable version is being held back for a future major version upgrade of the "create-react-app" package. 5 months on and the issue is marked as Closed but the new version hasn't been released.
1 comments
danabramov 2142 days ago
To be clear, the vulnerability has no actual effect on CRA apps. The description says it’s for a DDOS attack which is completely irrelevant because CRA doesn’t use WDS for production environments. (It doesn’t even have a production web server.)

While I agree that ideally a release should be cut to satisfy people affected by enterprise requirements, we are looking at a case of an overzealous audit checker, not an actual vulnerability that affects your apps.

(Edit: I've cut a release though; see my response in https://github.com/facebook/create-react-app/issues/9033#iss...)

link
dane-pgp 2142 days ago
Thank you for your professionalism and humility. I too would like to apologise for not giving the full context and incorrectly suggesting that the vulnerability might actually affect apps created by CRA.

I think that the real concern was not the non-existent security implications (although it's a bad habit to ignore even an overzealous audit checker), but that the release process for CRA seemed to make it very hard to cut new patch releases. Your comment suggests that it wasn't so hard after all, for which I am relieved and grateful, but the policy of expecting people to wait for (and deal with the backwards incompatibility of) major version updates[0] doesn't feel like an industry best practice.

[0] https://github.com/facebook/create-react-app/issues/9033#iss...

link
danabramov 2142 days ago
I think there are definitely things that could be improved in the release process there. The project is mostly run by volunteer contributors as there are limited things we can focus on, and currently we're very focused on React itself. If someone were to volunteer to streamline the release process and improve it, I'm sure the maintainers would have been appreciative.
link