Open fschwahn opened 4 years ago
+1 to this too! We pick up sifter via selectize.js too.
+1 We don't use the binary either
If the binary see little use, perhaps just dropping it? Or slimming it down a bit, to use fewer dependencies.
Moving it to a different package would also work.
@brianreavis We're now getting reports for github for an old version of minimist, which is required by optimist (which is unmaintained) which in turn you depend on for the binary of sifter. What do you think about moving or dropping the binary?
@holic @brianreavis friendly ping! 😄
I'm getting security pings for the old version of minimist as well. Moving the CLI tool to its own package would solve the issue.
Because of the csv-parse CVE (see also #55) I looked at this library, and noticed that the library is completely self-contained, and all dependencies are only required by the sifter-binary. If the binary would be a self-contained package, the sifter library would have no dependencies at all, and wouldn't be affected by upstream security issues.
My guess is that a sizable amount of sifter-users are using it indirectly through selectize.js, which does also only uses the library parts of this package.