sifter.js icon indicating copy to clipboard operation
sifter.js copied to clipboard
verified publisher icon brianreavis

Proposal: Move binary to seperate repository

Open fschwahn opened this issue 6 years ago • 5 comments

Because of the csv-parse CVE (see also #55) I looked at this library, and noticed that the library is completely self-contained, and all dependencies are only required by the sifter-binary. If the binary would be a self-contained package, the sifter library would have no dependencies at all, and wouldn't be affected by upstream security issues.

My guess is that a sizable amount of sifter-users are using it indirectly through selectize.js, which does also only uses the library parts of this package.

fschwahn avatar Oct 29 '19 15:10 fschwahn

+1 to this too! We pick up sifter via selectize.js too.

mattgodbolt avatar Nov 05 '19 19:11 mattgodbolt

+1 We don't use the binary either

If the binary see little use, perhaps just dropping it? Or slimming it down a bit, to use fewer dependencies.

Moving it to a different package would also work.

sandstrom avatar Mar 10 '20 14:03 sandstrom

@brianreavis We're now getting reports for github for an old version of minimist, which is required by optimist (which is unmaintained) which in turn you depend on for the binary of sifter. What do you think about moving or dropping the binary?

fschwahn avatar Apr 10 '20 09:04 fschwahn

@holic @brianreavis friendly ping! 😄

sandstrom avatar May 18 '20 16:05 sandstrom

I'm getting security pings for the old version of minimist as well. Moving the CLI tool to its own package would solve the issue.

jadell avatar Jul 09 '20 17:07 jadell