Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

Description

Overview:

react-hot-loader should be replaced because it is no longer maintained and has security issues.

Steps to Reproduce:

stripes-core uses react-hot-loader in https://github.com/folio-org/stripes-core/blob/v8.1.0/src/components/Root/index.js#L1

react-hot-loader hasn't been maintained since Jun 1, 2021. There are 116 open issues and 246 open pull requests as of March 22, 2022: https://github.com/gaearon/react-hot-loader

react-hot-loader has security vulnerabilities: https://nvd.nist.gov/vuln/detail/CVE-2020-7598 , https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Steps to Fix:

The react-hot-loader maintainers say: "Please remove React-Hot-Loader": https://github.com/gaearon/react-hot-loader#moving-towards-next-step

The react-hot-loader maintainers advise to replace it by React Hot Refresh: https://github.com/facebook/react/issues/16604

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

relates to

STCOM-954

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

UIOR-932

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

STRIPES-725

Replace react-hot-loader

UIINREACH-160

Replace react-hot-loader - unmaintained, security (CVE-2021-44906)

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details

Assignee

Zak Burke

Reporter

Julian Ladisch

Labels

securitysecurity-reviewed

Priority

Sprint

None

Development Team

Stripes Force

Fix versions

8.2.0

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created March 22, 2022 at 10:24 AM

Updated June 15, 2022 at 2:44 AM

Resolved April 5, 2022 at 11:05 PM

Configure

TestRail: Cases

TestRail: Runs