search

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.54k stars 9.32k forks source link

Please remove styledocco dependency #13758

Closed barbazul closed 6 years ago

barbazul commented 6 years ago

Styledocco is long abandoned. Last commit to master branch was on March 30, 2014.

That alone should not be an issue, except that the last version of Styledocco is depending on outdated versions of packages with security reports of high severity.

The specifics:

styledocco depends on marked version 0.2.10

and uglify-js version 1.2.6:

magento-engcom-team commented 6 years ago

Hi @barbazul We can not accept security issue reports via Github. If you know any specific steps to reproduce a security issue with the libraries mentioned – please report it to bugcrowd.

Regarding the outdated version of the library – you are right, it should not be too much of an issue on its own. In case you have an idea of good replacement for the dependency in question – you may submit a Pull request with the update. Thanks