Hi, Gregg. We've already removed our major dependencies on this, and there are no plans to use it directly again. This is mainly good news in that it (eventually) will reduce the vulnerabilities we inherit from other libraries.
Cheers, Tony On 8 December 2017 at 15:20, Gregg Vanderheiden GPII < [email protected]> wrote: > If if fell into disrepair once — is there a chance that if we become > dependent on it - that it will fall into disrepair again? > > I want to be sure that, while we have the resources, we do what we can > to make it easy to maintain security after the end of the grant. > > Having stated that priority I defer to you all and Brendan on this. > > best > > Gregg > > > On Dec 8, 2017, at 4:41 AM, Tony Atkins <[email protected]> wrote: > > Hi, All. > > As you may remember, packages like gpii-handlebars and infusion-docs were > recently updated so that they no longer directly depend on "marked", which > had multiple long-unaddressed security vulnerabilities. > > Recently, a new key contributor has stepped up to try and revive the > "marked" project <https://github.com/chjj/marked/issues/956>. In less > than a week, the long-stalled 0.3.7 release that includes fixes for the > previous holes was released. Unfortunately, there's still a newly > discovered vulnerability that will apparently be fixed in the upcoming > version 0.3.9 <https://github.com/chjj/marked/pull/958>. I am following > that pull, and will report back when there's an actual fix. I > > have reviewed our holdings on snyk.io, it doesn't seem that we have > marked as a non-dev dependency at the moment, but I thought I'd mention it > for people whose work might not have made it up there yet. > > Cheers, > > > Tony > > _______________________________________________ > Architecture mailing list > [email protected] > https://lists.gpii.net/mailman/listinfo/architecture > > >
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
