If if fell into disrepair once — is there a chance that if we become dependent on it - that it will fall into disrepair again?
I want to be sure that, while we have the resources, we do what we can to make it easy to maintain security after the end of the grant. Having stated that priority I defer to you all and Brendan on this. best Gregg > On Dec 8, 2017, at 4:41 AM, Tony Atkins <[email protected]> wrote: > > Hi, All. > > As you may remember, packages like gpii-handlebars and infusion-docs were > recently updated so that they no longer directly depend on "marked", which > had multiple long-unaddressed security vulnerabilities. > > Recently, a new key contributor has stepped up to try and revive the "marked" > project <https://github.com/chjj/marked/issues/956>. In less than a week, > the long-stalled 0.3.7 release that includes fixes for the previous holes was > released. Unfortunately, there's still a newly discovered vulnerability that > will apparently be fixed in the upcoming version 0.3.9 > <https://github.com/chjj/marked/pull/958>. I am following that pull, and > will report back when there's an actual fix. I > > have reviewed our holdings on snyk.io <http://snyk.io/>, it doesn't seem > that we have marked as a non-dev dependency at the moment, but I thought I'd > mention it for people whose work might not have made it up there yet. > > Cheers, > > > Tony > > _______________________________________________ > Architecture mailing list > [email protected] > https://lists.gpii.net/mailman/listinfo/architecture
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
