Done
Le 13/04/2026 à 17:10, Jacques Le Roux via dev a écrit :
Hi Jacopo,
Right, I missed that it was not yet released trough npm.
Anyway it does not pass Dependabot check because of the node version used.
I was filling a comment about that on
https://issues.apache.org/jira/browse/OFBIZ-13339
Just after the commit, but did not finish. I'll finsih it now and revert myself
So now it's mandatory to else put patches in Jira or create PRs from a fork?
Jacques
Le 13/04/2026 à 15:47, Jacopo Cappellato a écrit :
Hi Jacques,
I don't understand what you are doing. The latest npm release of
*jsgantt-improved* is from three years ago and definitely does not include
a fix created yesterday.
Also, could you please work in feature branches on your fork and submit
pull requests from there? By pushing directly to the main repository, you
prevent proper review of your changes. Committing and then reverting is
also not a good practice.
Since we are currently preparing a release, I don’t think we should take
these risks [*]. I'd revert these changes.
Best regards,
Jacopo
[*] From Jacques' commit message:
"But I'm still unsure because the security issues were reported to us by
Dependabot and not npm. And before npm did not alert us, maybe because
it only
verifies packages in framework and application (not sure about that,
I'll dig it)
Note also that both npm and Dependabot are both GH's creations
We will see if Dependabot does not report security issues, else a
revert of this
commit will be necessary again.
If it's OK a backport to 24.09 will be done."
