Skip to content

Remove GeoJSON validation#1052

Merged
mourner merged 4 commits intomainfrom
cleanup-deps
May 19, 2021
Merged

Remove GeoJSON validation#1052
mourner merged 4 commits intomainfrom
cleanup-deps

Conversation

@mourner
Copy link
Member

@mourner mourner commented May 19, 2021

Closes #1051, closes #1020, closes #1049. Upgrades some dependencies to pass security audit, and removes GeoJSON validation which wasn't very useful for its added size, was applied inconsistently, and relied on an unmaintained library with highly vulnerable transitive deps. Removing it is technically not too breaking since the code that worked before will continue working after the upgrade.

mourner added 4 commits May 19, 2021 12:05
@mourner
remove peerDependencies
fb3052e 
This no longer serves a useful purpose — we have long stopped maintaining GL JS <0.27.
@mourner
remove GeoJSON validation on add & geojsonhint dependency
56d2139
@mourner
upgrade yarn.lock
d85a053
@mourner
upgrade direct deps
90ad2d3
@mourner mourner requested a review from arindam1993 May 19, 2021 09:48
rreusser
rreusser approved these changes May 19, 2021
View reviewed changes
Copy link
Contributor

@rreusser rreusser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me. Do I understand correctly that users would then be responsible for passing valid geojson? Should we add a note to the docs for add which conveys this?

@mourner
Copy link
Member Author

mourner commented May 19, 2021

I think it's fine to not mention — the old validation behavior was never mentioned anyway, and requirement to pass valid GeoJSON is implied in all APIs like this

@mourner mourner merged commit c12fb64 into main May 19, 2021
@mourner mourner deleted the cleanup-deps branch May 19, 2021 18:39
@davidbeers
Copy link

davidbeers commented May 19, 2021

This is great. @mourner do you have a rough idea when there might be a release with this fix? From reading comments it seems like it would make a very welcome minor release all on its own even if there aren't other features or fixes ready to release.

@mourner
Copy link
Member Author

mourner commented May 20, 2021

@davidbeers just released!

@murdocha
Copy link

murdocha commented May 20, 2021

Thank you!
this is much better than the work-around I I had found to reference a Github commit by hash in package.json:

    "@mapbox/mapbox-gl-draw": "git+https://github.com/mapbox/mapbox-gl-draw.git#c12fb64b90d00e877e94b12b60bc3b80e42924dd",

@mourner mourner mentioned this pull request Aug 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arindam1993 arindam1993 Awaiting requested review from arindam1993

1 more reviewer

@rreusser rreusser rreusser approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove dependency on @mapbox/geojsonhint npm vulnerability NPM audit reports vulerabilities

4 participants

@mourner @davidbeers @murdocha @rreusser