Select-woo has moderate security vulnerabilities

[chrabyrd]

When running npm audit, the following message is output:

select2  <4.0.6
Severity: moderate
Improper Neutralization of Input During Web Page Generation in Select2 - https://github.com/advisories/GHSA-rf66-hmqf-q3fc
No fix available
node_modules/select-woo
  arches  
  Depends on vulnerable versions of select2
  node_modules/arches

2 moderate severity vulnerabilities

It look like select-woo has not been updated in several years, and does not have plans to be updated. We should consider possible alternatives. I'm assuming we will not use this library with Vue components

[petgan]

Select-woo / select2 are also a technical bourdain looking long terme. I was experimenting to upgrade yarn to yarn modern (yarn 2). select-woo causes the build to fail and I was not able to fix the issue! It's better to look for more moderne and supported solutions. I know the main reason for using select-woo is accessibility but it should be addressed with other supported solution and if needed doing PRs to improve those solutions.

[chrabyrd]

👋 @petgan !

I agree completely. For what it's worth, select2/selectWoo are being used to maintain legacy code, and once the cutover to Vue is complete they will deprecated and removed from the application; there is no new Arches-core code being written that uses those libraries.

Also, when version 7.6.0 is released, Arches will move from yarn v1 to npm. npm was selected over Yarn v2 largely for the reason you encountered: modern Yarn automatically runs build scripts when linked to github dependencies.

If you're able to find a replacement for selectWoo that can be integrated with minimal effort, please let us know -- I'd love to replace the library with a more modernized package.

[chiatt]

👋 @petgan !

I agree completely. For what it's worth, select2/selectWoo are being used to maintain legacy code, and once the cutover to Vue is complete they will deprecated and removed from the application; there is no new Arches-core code being written that uses those libraries.

Also, when version 7.6.0 is released, Arches will move from yarn v1 to npm. npm was selected over Yarn v2 largely for the reason you encountered: modern Yarn automatically runs build scripts when linked to github dependencies.

If you're able to find a replacement for selectWoo that can be integrated with minimal effort, please let us know -- I'd love to replace the library with a more modernized package.

It seems like given what you've documented here @chrabyrd, we can close this issue?

[chrabyrd]

@chiatt I'm unsure if we should close it or just move it to icebox. It still shows a security vulnerability whenever npm install is run, and still shows as the cause of the issue when npm audit is run. As long as there's documentation that we're aware of this issue and have explored alternatives ( which this ticket serves as ), I'm good either way.

[petgan]

👋 @petgan !

I agree completely. For what it's worth, select2/selectWoo are being used to maintain legacy code, and once the cutover to Vue is complete they will deprecated and removed from the application; there is no new Arches-core code being written that uses those libraries.

Also, when version 7.6.0 is released, Arches will move from yarn v1 to npm. npm was selected over Yarn v2 largely for the reason you encountered: modern Yarn automatically runs build scripts when linked to github dependencies.

If you're able to find a replacement for selectWoo that can be integrated with minimal effort, please let us know -- I'd love to replace the library with a more modernized package.

Hi @chrabyrd It has been some time I has developped frontend so I can not say from experianse what is a good chose but have made somme digging and when taking into account that Arches is orienting using Vue. Radix Vue seams interesting!