https://github.com/mckinsey/vizro/pull/398 was merged when it was failing Snyk licence and security checks. I discussed this with @Joseph-Perkins and agreed we should ignore all the warnings but also add a note to our docs - done here.
I've thoroughly read up on the security issue and am not concerned as things stand. So long as dashboard developers use trusted data then all is well. If we ever allow untrusted users to upload data (e.g. through the dashboard) then we'd have to be much more careful though, since potentially that could be a big security risk that allows arbitrary code execution.
Notice
[x] I acknowledge and agree that, by checking this box and clicking "Submit Pull Request":
I submit this contribution under the Apache 2.0 license and represent that I am entitled to do so on behalf of myself, my employer, or relevant third parties, as applicable.
I certify that (a) this contribution is my original creation and / or (b) to the extent it is not my original creation, I am authorized to submit this contribution on behalf of the original creator(s) or their licensees.
I certify that the use of this contribution as authorized by the Apache 2.0 license does not violate the intellectual property rights of anyone else.
I have not referenced individuals, products or companies in any commits, directly or indirectly.
I have not added data or restricted code in any commits, directly or indirectly.
Description
https://github.com/mckinsey/vizro/pull/398 was merged when it was failing Snyk licence and security checks. I discussed this with @Joseph-Perkins and agreed we should ignore all the warnings but also add a note to our docs - done here.
I've thoroughly read up on the security issue and am not concerned as things stand. So long as dashboard developers use trusted data then all is well. If we ever allow untrusted users to upload data (e.g. through the dashboard) then we'd have to be much more careful though, since potentially that could be a big security risk that allows arbitrary code execution.
Notice
[x] I acknowledge and agree that, by checking this box and clicking "Submit Pull Request":