We are using @atlassianlabs/jql-editor-connect as a JQL form field in our connect apps. We use Snyk to identify vulnerabilities in our dependencies. Snyk has reported a critical vulnerability that exists in react-intl-next.
I checked the package in npm registry and I saw that 1.1.0 is the last package that was published a year ago. The links are dead as well. I presume that this packages is not being developed now.
I also checked if there is any update for react-intl-next package and it doesnβt even exists anymore.
So, I checked for alternatives for jql editor and I couldnβt find any. There is one in atlastkit named @atlaskit/jql-editor but itβs for internal usage.
Before replacing our package with it, Iβd like to ask any fix or remediation for this vulnerability.
CC: @J-D@dkolbly@SoneyMathew Sorry for mentioning you guys directly but thought this could speed things up.
The react-intl-next is actually overridden by a either a βresolutionsβ entry or by setting the version to npm:react-intl@^5.18.1 in all the Atlassian packages that have a dependency on this. The problem is that Snyk does not pick up on this as it only scans the actual dependencies and not the resolutions.
It would be better if Atlassian just updates the packages to use react-intl directly instead of redirecting it, but it seems that Atlassian has no incentive to do so.
There are other threads on this forum that mention this:
