Closed eloarr closed 3 years ago
I am really waiting this, but it's the project still maintained? there is no commits to master since 2017
@bgrins bump
@bgrins anybody here?
Still no news?
Alas, none.
I'm also in need of this fix. Hope it goes through.
I was getting vulnerability alerts for the included outdated jQuery version as well in WhiteSource.
Because the maintainer is not responding for a while, I published a version without jQuery, demo & test folder: https://www.npmjs.com/package/tinycolor2-without-jquery https://unpkg.com/browse/tinycolor2-without-jquery@1.4.1/
You can make yarn pick it up instead of the original by using resolutions in your package.json:
"resolutions": {
"tinycolor2": "https://registry.npmjs.org/tinycolor2-without-jquery/-/tinycolor2-without-jquery-1.4.1.tgz"
}
Cheers, – Felix
Sorry for missing this - I went ahead and removed the jquery dependency on the demo in https://github.com/bgrins/TinyColor/commit/250a1e2421242b336770d50c2b5e1eae292bc727.
@bgrins: Thank you for making the fix. Howbeit, could confirm whether you intend upon making a release of this latest version to npm soon?
It shouldn't need a release since the main script file hasn't been touched. jQuery has never been used with the library - only the demo HTML page.
@bgrins the problem is, your package includes jQuery also on npm. This is what security scans pick up on, see: https://unpkg.com/browse/tinycolor2@1.4.1/demo/
so yes, a republish with a patch version is very much needed. The demo code should probably never ended up in npm, but it did
@xiel: You beat me to it. That's my point exactly.
OK, thank you both for the heads up. Let me see about restricting what gets published to npm and get a new version up.
Alright, 1.4.2 has been published: https://www.npmjs.com/package/tinycolor2/v/1.4.2
Awesome stuff! Thank you.
Fixes issue #195 Passes retirejs scan (version 2.0.2).