Open riderjensen opened 2 years ago
cebe
commented
2 years ago it is used in the CI pipeline to compare whether specs that are valid in speccy are valid here too, so I'm not very concerned about any XSS in it. However I'm open to replace it with a more up to date tooling from the JS world.
vvanpo
commented
2 years ago @cebe even though the JavaScript dependency is not included in the release tarball, the presence of the yarn.lock file causes security scanning tools like Snyk to report a critical vulnerability (since it can be configured to crawl the a project after installing all Composer dependencies, looking for dependency manifests like yarn.lock). Would it be possible to package and release php-openapi without the yarn.lock file present?
cebe
commented
2 years ago As far as I remember that is possible by adding a .gitattributes file to exclude files like that, e.g. https://github.com/cebe/markdown/blob/2b2461bed9e15305486319ee552bafca75d1cdaa/.gitattributes
Happy to merge a PR that adds one.
cebe
commented
2 years ago However I'm open to replace it with a more up to date tooling from the JS world.
philsturgeon
commented
2 years ago Hey hey! I made Speccy and it got trapped and promptly abandoned at WeWork when I left. Spectral is the successor, it does severything Speccy did and a million times more. https://github.com/stoplightio/spectral/
Thought I would bring this up here as Speccy is a dead repo (last updated 3 years ago). It looks like Speccy is being used here and the latest version of Speccy is using an older version of redoc which is using a bad version of dompurify according to snyk .
Wondering what are thoughts around removing speccy from the repo?