Vulnerability in `jsondiffpatch`

[kachkaev]

See GHSA-33vc-wfww-vjfv

jotai-devtools refers to 0.5.x:

jotai-devtools/package.json

Line 173 in ea6cac0

"jsondiffpatch": "^0.5.0",

It'd be great if jsondiffpatch was upgraded to 0.7.2+, even if the vulnerability is a false-positive. Otherwise, GitHub spams developers with security alerts which are based on the contents of the lockfile.

[arjunvegda]

Thanks a lot for reporting this! jsondiffpatch@>=0.5.0 is ESM only, it'll cause issues with our current setup where we support both CJS and ESM builds for jotai-devtools

I’ll look into adding an ESM compatible wrapper (or externalize the dependency) so we can keep CJS support for now (could also use a contribution here)

That said, this might be a good signal that it's time to consider phasing out CJS support in jotai-devtools 😟

[kachkaev]

Yeah jsondiffpatch is ESM only since 0.6.0. It was released in December 2023 which is almost two years ago. The transition from CJS to ESM has been going on for quite a while now and I believe that most bundlers already know how to handle ESM-only deps.

Dropping CJS could be worth a shot given the vulnerability and how far the community got with the ESM migration. If there is a strong pushback from the users, you can release another 0.x.0 that brings back CJS and works around jsondiffpatch one way or another.

An ESM-only jotai-devtools package can work as a litmus paper for jotai. If there is no pushback for a few months, this can mean that jotai can be also made ESM-only.

[jeannnemelanie]

+1 to fix jsondiffpatch vulnerability. It would be appreciated :)