Static-eval security issue reported by npm audit

[goldengecko]

To reproduce, install plotly.js in a project, and run npm audit.

Expected outcome: no security issues. Actual outcome: reports an issue due to the version of static-eval linked to in the package. Fix: update the static-eval version to >= 2.0.2. See https://www.npmjs.com/advisories/758

There are 16 security alerts generated, but they all refer to the same issue, as shown in the attached image.

[etpinard]

Duplicate of https://github.com/scijs/cwise/issues/19

[Ionaru]

@etpinard You are referring to an issue that is 2 years old, the PR ( https://github.com/scijs/cwise/pull/25 ) that is meant to fix the security vulnerability has had no meaningful update or discussion since Jul 25, 2019.

At this point I think it's fair to assume the vulnerability will not be fixed at cwise's side, and I suggest looking into alternatives.

[stephanvierkant]

Why is this issue closed? There are still security issues with cwise.

They may not cause direct issues with this repo, but at some point a non-maintained dependency with security issues should be fixed or replaced.

[nicolaskruchten]

We're tracking this in https://github.com/plotly/plotly.js/issues/4796 now :)