Pablo-WMDE added a comment.
> **Vulnerable Packages**
> **Risk: {icon exclamation-triangle color=yellow} medium**
> [...]
> **Outdated Packages**
There recurringly are and recently were efforts to get those numbers down,
maybe a recheck (e.g. after sha 5f1d7d106f47dbe7738efb788144d7f2fe391f39
<https://phabricator.wikimedia.org/rEWBA5f1d7d106f47dbe7738efb788144d7f2fe391f39>)
is all it takes to find more acceptable counts (is 0 the success criterion?).
This is a moving target, however. At WMDE we are in the process of finding a
structured workflow (for the products' and the developers' sake) which prevents
those counts climbing again. A push on T228527: Support nested package.json
files <https://phabricator.wikimedia.org/T228527> from people with an official
security hat would be of great help to make this happen in (ever more popular)
monorepos.
> As reported by `retirejs`:
> (**Risk: {icon exclamation-triangle color=yellow} medium**)
>
> /src/node_modules/tinycolor2/demo/jquery-1.9.1.js
I believe this is a false positive. TinyColor (which we depend on via
@storybook/[email protected] > [email protected] > tinycolor 1.4.1) does
contain a copy of jquery 1.9.1 for its own demo
<https://github.com/bgrins/TinyColor/tree/ab58ca0/demo> page, but it is not
part of its package, and consequently not loaded in the bridge product.
Thanks for making sure we deliver quality work to our users!
TASK DETAIL
https://phabricator.wikimedia.org/T249039
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: sbassett, Pablo-WMDE
Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE,
Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde,
Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden,
LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff,
Mbch331, Legoktm
_______________________________________________
Wikidata-bugs mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
