Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

Description

Overview:

react-hot-loader should be replaced because it is no longer maintained and has security issues.

Steps to Reproduce:

stripes-components uses react-hot-loader in https://github.com/folio-org/stripes-components/blob/v10.1.0/util/childrenOf.js#L10

react-hot-loader hasn't been maintained since Jun 1, 2021. There are 116 open issues and 246 open pull requests as of March 22, 2022: https://github.com/gaearon/react-hot-loader

react-hot-loader has security vulnerabilities: https://nvd.nist.gov/vuln/detail/CVE-2020-7598 , https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Steps to Fix:

The react-hot-loader maintainers say: "Please remove React-Hot-Loader": https://github.com/gaearon/react-hot-loader#moving-towards-next-step

The react-hot-loader maintainers advise to replace it by React Hot Refresh: https://github.com/facebook/react/issues/16604

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

relates to

UIOR-932

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

STRIPES-725

Replace react-hot-loader

STCOR-597

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

UIINREACH-160

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details

Assignee

John Coburn

Reporter

Julian Ladisch

Labels

securitysecurity-reviewedstriptech-debt

Priority

Sprint

None

Development Team

Stripes Force

Fix versions

10.2.0

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created March 22, 2022 at 10:20 AM

Updated June 14, 2022 at 7:40 PM

Resolved April 5, 2022 at 4:06 PM

Configure

TestRail: Cases

TestRail: Runs