Hi, All. After earlier discussions on this list, I have been reviewing my own work using snyk.io. I have been able to address most of the concerns thus far, but there is a bit of a sticking point when it comes to "marked <https://github.com/chjj/marked/>", the library used in gpii-handlebars, in infusion-docs (via docpad-plugin-marked), and in upstream dependencies like express.
There are known security vulnerabilities in marked, which have already been addressed in a merged pull <https://github.com/chjj/marked/issues/863>. However, there seems to be a breakdown in governance <https://github.com/chjj/marked/issues/727> of the project, and no releases have been issued in over half a year. Previous vulnerabilities were addressed with a release <https://snyk.io/blog/marked-xss-vulnerability/> after 2-3 months, this time we're 3-4 months on with no release. It seems like a good time to talk about replacing marked and/or integrating snyk's patching mechanisms into our affected projects. Although the latter adds complexity to our builds, it gives us a way to move forward while we wait for dependencies like express to catch up. I am happy for this discussion to take place on list or in the architecture meetings, but if there is any time at all on Friday, this could be a good small breakout session for the F2F. I'd imagine Justin, myself, and others working with markdown might attend, and also people like Giovanni working to integrate snyk into our workflow. If there is enough interest in replacing marked, I am happy to evaluate the alternatives and write up a technology evaluation <https://wiki.gpii.net/w/Technology_Evaluation> on the wiki. If we decide that snyk's patch tools are worth exploring, I am also happy to convert an affected project to use the patch tools and submit a PR for review. Anyway, please comment. Cheers, Tony
_______________________________________________ Architecture mailing list [email protected] http://lists.gpii.net/mailman/listinfo/architecture
