search

bgrins / TinyColor

Fast, small color manipulation and conversion for JavaScript
https://bgrins.github.io/TinyColor/
MIT License
5.05k stars 438 forks source link

Updated and minified jQuery to v3.3.1.min.js (fix for #195) #205

Closed eloarr closed 3 years ago

eloarr commented 5 years ago

Fixes issue #195 Passes retirejs scan (version 2.0.2).

vlaraort commented 5 years ago

I am really waiting this, but it's the project still maintained? there is no commits to master since 2017

kowalk commented 5 years ago

@bgrins bump

kowalk commented 5 years ago

@bgrins anybody here?

vlaraort commented 5 years ago

Still no news?

eloarr commented 4 years ago

Alas, none.

RB-Develop commented 4 years ago

I'm also in need of this fix. Hope it goes through.

xiel commented 4 years ago

I was getting vulnerability alerts for the included outdated jQuery version as well in WhiteSource.

Because the maintainer is not responding for a while, I published a version without jQuery, demo & test folder: https://www.npmjs.com/package/tinycolor2-without-jquery https://unpkg.com/browse/tinycolor2-without-jquery@1.4.1/

You can make yarn pick it up instead of the original by using resolutions in your package.json:

"resolutions": {
  "tinycolor2": "https://registry.npmjs.org/tinycolor2-without-jquery/-/tinycolor2-without-jquery-1.4.1.tgz"
}

Cheers, – Felix

bgrins commented 3 years ago

Sorry for missing this - I went ahead and removed the jquery dependency on the demo in https://github.com/bgrins/TinyColor/commit/250a1e2421242b336770d50c2b5e1eae292bc727.

takwas commented 3 years ago

@bgrins: Thank you for making the fix. Howbeit, could confirm whether you intend upon making a release of this latest version to npm soon?

bgrins commented 3 years ago

@bgrins: Thank you for making the fix. Howbeit, could confirm whether you intend upon making a release of this latest version to npm soon?

It shouldn't need a release since the main script file hasn't been touched. jQuery has never been used with the library - only the demo HTML page.

xiel commented 3 years ago

@bgrins the problem is, your package includes jQuery also on npm. This is what security scans pick up on, see: https://unpkg.com/browse/tinycolor2@1.4.1/demo/

so yes, a republish with a patch version is very much needed. The demo code should probably never ended up in npm, but it did

takwas commented 3 years ago

@xiel: You beat me to it. That's my point exactly.

bgrins commented 3 years ago

OK, thank you both for the heads up. Let me see about restricting what gets published to npm and get a new version up.

bgrins commented 3 years ago

Alright, 1.4.2 has been published: https://www.npmjs.com/package/tinycolor2/v/1.4.2

takwas commented 3 years ago

Awesome stuff! Thank you.