Pablo-WMDE added a comment.
> **Vulnerable Packages** > **Risk: {icon exclamation-triangle color=yellow} medium** > [...] > **Outdated Packages** There recurringly are and recently were efforts to get those numbers down, maybe a recheck (e.g. after sha 5f1d7d106f47dbe7738efb788144d7f2fe391f39 <https://phabricator.wikimedia.org/rEWBA5f1d7d106f47dbe7738efb788144d7f2fe391f39>) is all it takes to find more acceptable counts (is 0 the success criterion?). This is a moving target, however. At WMDE we are in the process of finding a structured workflow (for the products' and the developers' sake) which prevents those counts climbing again. A push on T228527: Support nested package.json files <https://phabricator.wikimedia.org/T228527> from people with an official security hat would be of great help to make this happen in (ever more popular) monorepos. > As reported by `retirejs`: > (**Risk: {icon exclamation-triangle color=yellow} medium**) > > /src/node_modules/tinycolor2/demo/jquery-1.9.1.js I believe this is a false positive. TinyColor (which we depend on via @storybook/addon-knobs@5.3.19 > react-color@2.18.1 > tinycolor 1.4.1) does contain a copy of jquery 1.9.1 for its own demo <https://github.com/bgrins/TinyColor/tree/ab58ca0/demo> page, but it is not part of its package, and consequently not loaded in the bridge product. Thanks for making sure we deliver quality work to our users! TASK DETAIL https://phabricator.wikimedia.org/T249039 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: sbassett, Pablo-WMDE Cc: WMDE-leszek, sbassett, Addshore, Michael, Lucas_Werkmeister_WMDE, Tonina_Zhelyazkova_WMDE, Pablo-WMDE, Lydia_Pintscher, Aklapper, darthmon_wmde, Akuckartz, Dsharpe, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Bawolff, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs