Plotly.js: Static-eval security issue reported by npm audit

Created on 4 Dec 2019  路  4Comments  路  Source: plotly/plotly.js

To reproduce, install plotly.js in a project, and run npm audit.

Expected outcome: no security issues.
Actual outcome: reports an issue due to the version of static-eval linked to in the package.
Fix: update the static-eval version to >= 2.0.2. See https://www.npmjs.com/advisories/758

There are 16 security alerts generated, but they all refer to the same issue, as shown in the attached image.

Screen Shot 2019-12-04 at 12 03 31 pm

picture goldengecko

Most helpful comment

We're tracking this in https://github.com/plotly/plotly.js/issues/4796 now :)

picture nicolaskruchten on 12 May 2020
👍2

All 4 comments

Duplicate of https://github.com/scijs/cwise/issues/19

etpinard picture etpinard on 4 Dec 2019

@etpinard You are referring to an issue that is 2 years old, the PR ( https://github.com/scijs/cwise/pull/25 ) that is meant to fix the security vulnerability has had no meaningful update or discussion since Jul 25, 2019.

At this point I think it's fair to assume the vulnerability will not be fixed at cwise's side, and I suggest looking into alternatives.

Ionaru picture Ionaru on 28 Mar 2020
👍1

Why is this issue closed? There are still security issues with cwise.

They may not cause direct issues with this repo, but at some point a non-maintained dependency with security issues should be fixed or replaced.

stephanvierkant picture stephanvierkant on 12 May 2020

We're tracking this in https://github.com/plotly/plotly.js/issues/4796 now :)

nicolaskruchten picture nicolaskruchten on 12 May 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nicolaskruchten picture nicolaskruchten  路  3Comments
HunterMcGushion picture HunterMcGushion  路  3Comments
archmoj picture archmoj  路  3Comments
hashimmoosavi picture hashimmoosavi  路  3Comments
tim-sauchuk picture tim-sauchuk  路  3Comments