Severity: Low
Summary
The eslint-plugin-react-hooks devDependency is pinned to a release candidate version (^5.1.0-rc.0). RC versions have not completed the full release QA cycle and receive less community scrutiny than stable releases.
Location
File: package.json, line 115
"eslint-plugin-react-hooks": "^5.1.0-rc.0",
Why Low Severity
- devDependency only — never bundled into the distributed
@bsf/force-ui package. Consumers never download or execute this package.
- Official React team package — published under the same trust chain as stable releases from the React team.
- Linting tool only — performs static analysis during development; does not execute at runtime, process user input, or make network requests.
- The RC was likely the only available version supporting React 19 hooks patterns when the dependency was added.
Recommended Fix
Check if a stable release is now available and upgrade:
npm info eslint-plugin-react-hooks versions --json | tail -5
npm install --save-dev eslint-plugin-react-hooks@latest
Found by automated security audit — VULN-09
Severity: Low
Summary
The
eslint-plugin-react-hooksdevDependency is pinned to a release candidate version (^5.1.0-rc.0). RC versions have not completed the full release QA cycle and receive less community scrutiny than stable releases.Location
File:
package.json, line 115Why Low Severity
@bsf/force-uipackage. Consumers never download or execute this package.Recommended Fix
Check if a stable release is now available and upgrade:
npm info eslint-plugin-react-hooks versions --json | tail -5 npm install --save-dev eslint-plugin-react-hooks@latestFound by automated security audit — VULN-09