Bug: An imposter library @actuallyworks/node-fetch was added as a dependency

[CreativeTechGuy]

In a recent PR #25516 a new dependency was added @actuallyworks/node-fetch. This raised red flags for me. In investigating the library, here's the reasons to be alarmed:

• There is only one version which was published just a few weeks before it was added to React.
• The NPM README, repository links, etc all point to the real node-fetch repo.
• This is an old version of node-fetch which was reuploaded recently.
• There is no explanation as to why an old version of a popular library was uploaded by an unknown author with no noticeable changes.
• The publisher on NPM hasn't been very active nor has any history of trust. About the same time that @actuallyworks/node-fetch was published (imitating node-fetch), they also published @actuallyworks/p-map (imitating p-map) and @actuallyworks/chalk (imitating chalk). All of these libraries are published at the same time and follow the same pattern of copying a very popular library and uploading an old (seemingly unchanged) version.

I wasn't able to find any obviously malicious code in @actuallyworks/node-fetch at the time of writing this but there doesn't seem to be any good reason to use this library over the actual node-fetch. The main concern is that at some point in the future, the author of this imposter package can release a new version which does add something malicious and the React contributors would be affected and possibly even the React users if the attack was able to get new code into the bundle.

React version: Unreleased. Link to commit

Steps To Reproduce

N/A

The current behavior

React depends on a package @actuallyworks/node-fetch which is a reupload of an old version of the real node-fetch.

The expected behavior

React would only depend on trusted packages to avoid future NPM supply chain attacks.

[eps1lon]

In a recent PR #25516 a new dependency was added @actuallyworks/node-fetch.

This package was added to the workspace root and is only installed if you're working on React not if you're installing any package published from facebook/react.

The @actuallyworks packages are just packages re-published with the last version that worked with CommonJS modules: https://twitter.com/floydophone/status/1573725722480459777

"imitating" has a pretty negative conotation when all they did is forking the package which is a perfectly legitimate action.

[CreativeTechGuy]

This package was added to the workspace root and is only installed if you're working on React not if you're installing any package published from facebook/react.

Yes, but if the package ever becomes malicious it can not only affect the React core team (which is bad on its own) but also make its way into the React bundle.

The @actuallyworks packages are just packages re-published with the last version that worked with CommonJS modules:

Why not just pin to an older version of node-fetch than? NPM has every old version still available for this reason and you can install a specific version. That would solve the problem. No need to use a fork.

"imitating" has a pretty negative conotation when all they did is forking the package which is a perfectly legitimate action.

Yes and that is why I used it. The author didn't do any of the proper things for a fork. They didn't update anything about the package metadata (repo link, readme, etc). A legitimate, well-intentioned fork would clearly identify itself as such with reasons as to why it was forked.

[eps1lon]

but also make its way into the React bundle.

Only if it is declared in the actual package.json that are published.

[CreativeTechGuy]

Okay. But why not just pin node-fetch@2.6.0?