Remove stringjs dependency due to vulnerability in string 3.3. It is …

[smarusa]

Remove stringjs dependency due to vulnerability in string 3.3. It is used so little there is no need for the extra dependency in Swagger-tools.

Source: CERT Name: https://nodesecurity.io/advisories/536 Url: https://nodesecurity.io/advisories/536 Source: CERT Name: https://github.com/jprichardson/string.js/issues/212 Url: https://github.com/jprichardson/string.js/issues/212

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
• In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[smarusa]

comment

[googlebot]

CLAs look good, thanks!

[elankeeran]

@whitlockjc latest version 0.10.3 still has "string":"^3.3.0" as its dependencies but GitHub repo package.json doesn't have this dependency could you please check your npmjs.org published tar file

[whitlockjc]

I haven't published after this PR.

[daka1510]

@whitlockjc - any outlook when 0.10.4 will be released that contains this update?

[whitlockjc]

I'll get something out soon, sorry for the delay (holidays).

[daka1510]

@whitlockjc - any updates on how soon is soon :)?

[bfarrell]

Very interested in this as well. Any idea on dates?

[AaronHarris]

Any update on when this PR will be included in a cut version? Thousands of clients are still potentially vulnerable without this change. This has been open for 4 months.

[whitlockjc]

I don't see why we can't try to get a release out.

[daka1510]

@whitlockjc anything missing to release v0.10.4 that we can help with?

[whitlockjc]

I've not really planned on it but I can push it since people seem to want it now.

[miacobv]

Do we know when v0.10.4 will come out?

[tataille]

Hello, Any date for 0.10.4?

Thanks

[marr]

ping

[AaronHarris]

Is this project dead? Leaving a known, patched security flaw without so much as a patch version release in a project that sees 66,000 weekly downloads is pretty irresponsible. It's completely understandable if you don't have the time to dedicate to this project, and I'm sure if you ask the community would be happy to lend a hand.

Thanks for your work on this project over the years.

On Mon, May 7, 2018 at 10:56 AM, David Marr notifications@github.com wrote:

ping

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/apigee-127/swagger-tools/pull/542#issuecomment-387149145, or mute the thread https://github.com/notifications/unsubscribe-auth/ABgJRP5LdhBvWlieCHreF-_ncyCelyY3ks5twIrXgaJpZM4P87OK .