Open riderjensen opened 2 years ago
it is used in the CI pipeline to compare whether specs that are valid in speccy are valid here too, so I'm not very concerned about any XSS in it. However I'm open to replace it with a more up to date tooling from the JS world.
@cebe even though the JavaScript dependency is not included in the release tarball, the presence of the yarn.lock
file causes security scanning tools like Snyk to report a critical vulnerability (since it can be configured to crawl the a project after installing all Composer dependencies, looking for dependency manifests like yarn.lock
). Would it be possible to package and release php-openapi
without the yarn.lock
file present?
As far as I remember that is possible by adding a .gitattributes
file to exclude files like that, e.g. https://github.com/cebe/markdown/blob/2b2461bed9e15305486319ee552bafca75d1cdaa/.gitattributes
Happy to merge a PR that adds one.
However I'm open to replace it with a more up to date tooling from the JS world.
Hey hey! I made Speccy and it got trapped and promptly abandoned at WeWork when I left. Spectral is the successor, it does severything Speccy did and a million times more. https://github.com/stoplightio/spectral/
Thought I would bring this up here as Speccy is a dead repo (last updated 3 years ago). It looks like Speccy is being used here and the latest version of Speccy is using an older version of redoc which is using a bad version of dompurify according to snyk .
Wondering what are thoughts around removing speccy from the repo?