Examples directory of the repository is part of the NPM package

Question

Examples directory of the repository is part of the NPM package

jfcere opened this issue 4 years ago · comments

Jean-Francois Cere commented 4 years ago

Hi there,

Thanks for the library, ASCII art ftw 😄

That being said, my vulnerability check reported a problem with figlet because it found an old version of jQuery that has been flagged for security issues. I was surprised at first because I thought that the library has no dependency on jQuery but after inspecting the node_modules/figlet directory I noticed that the folder examples that contain jQuery is part of the NPM package.

Is there any plan to remove the examples folder from the distributed package?

patorjk · Answer 1 · Wed Apr 22 2020 04:32:26 GMT+0800 (China Standard Time)

Thank you for the report on this. JQuery is only used for the front-end portion of the lib, and only for an Ajax call. However, now that fetch is widely supported that part can be refactored out (thus removing any need for jquery). I’ll try and take a look at this in the next day or two.

…

On Tue, Apr 21, 2020 at 4:27 PM Jean-Francois Cere ***@***.***> wrote: Hi there, Thanks for the library, ASCII art ftw 😄 That being said, my vulnerability check flagged a problem with figlet because it found an old version of jQuery that has been flagged for security issues. I was surprised at first because I thought that the library has no dependency on jQuery but after inspecting the node_modules/figlet directory that the folder examples that contain jQuery is part of the NPM package. Is there any plan to remove the examples folder from the distributed package? [image: image] <https://user-images.githubusercontent.com/6987084/79910109-1705d480-83ec-11ea-9b7f-dd80f57dfaa5.png> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#55>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD7ICHDPP2DM35OELEA7IDRNX6SXANCNFSM4MNS5EFA> .

patorjk · Answer 2 · Mon Apr 27 2020 07:30:04 GMT+0800 (China Standard Time)

Sorry, I was confused when I posted my first response (I was thinking of a little used font preloading function, but it doesn't cause jquery to be included). You were correct. I've refactored the example to not use jQuery so it's no longer included. Thanks for reporting this!

Jean-Francois Cere · Answer 3 · Mon Apr 27 2020 08:21:06 GMT+0800 (China Standard Time)

@patorjk Thanks a lot, WhiteSource doesn't report the vulnerability anymore 👍