mattgodbolt
commented
4 years ago +1 to this too! We pick up sifter via selectize.js too.
Open fschwahn opened 4 years ago
mattgodbolt
commented
4 years ago +1 to this too! We pick up sifter via selectize.js too.
sandstrom
commented
4 years ago +1 We don't use the binary either
If the binary see little use, perhaps just dropping it? Or slimming it down a bit, to use fewer dependencies.
Moving it to a different package would also work.
fschwahn
commented
4 years ago @brianreavis We're now getting reports for github for an old version of minimist, which is required by optimist (which is unmaintained) which in turn you depend on for the binary of sifter. What do you think about moving or dropping the binary?
sandstrom
commented
4 years ago @holic @brianreavis friendly ping! 😄
jadell
commented
4 years ago I'm getting security pings for the old version of minimist as well. Moving the CLI tool to its own package would solve the issue.
Because of the csv-parse CVE (see also #55) I looked at this library, and noticed that the library is completely self-contained, and all dependencies are only required by the sifter-binary. If the binary would be a self-contained package, the sifter library would have no dependencies at all, and wouldn't be affected by upstream security issues.
My guess is that a sizable amount of sifter-users are using it indirectly through selectize.js, which does also only uses the library parts of this package.