Skip to content

chore: add security exclusion for jspdf #5801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

chore: add security exclusion for jspdf #5801

wants to merge 1 commit into from

Conversation

@mohammadalfaiyazbitgo
Copy link
Contributor

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo commented Mar 19, 2025

Ticket: WP-4055

TICKET: WP-4055

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo requested review from a team as code owners March 19, 2025 17:46
andrew-scott-fischer
andrew-scott-fischer requested changes Mar 19, 2025
View reviewed changes
Copy link
Contributor

@andrew-scott-fischer andrew-scott-fischer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From WP-4055

adding exclusion for https://github.com/advisories/GHSA-w532-jxjh-hjhjCan't find link , we don’t use jspdf in platform to generate PDFs. PDF generation is done on the client with the sdk.

If we don't use it, why not remove it as a dependency? Ignoring a CVE with an 8.7 score is not a great practice.

@andrew-scott-fischer andrew-scott-fischer mentioned this pull request Mar 19, 2025
Closed
@mohammadalfaiyazbitgo
Copy link
Contributor Author

mohammadalfaiyazbitgo commented Mar 19, 2025
edited by atlassian bot
Loading

From WP-4055

adding exclusion for https://github.com/advisories/GHSA-w532-jxjh-hjhjCan't find link , we don’t use jspdf in platform to generate PDFs. PDF generation is done on the client with the sdk.

If we don't use it, why not remove it as a dependency? Ignoring a CVE with an 8.7 score is not a great practice.

@andrew-scott-fischer The SDK uses it to generate Key cards, but it's on the client end.

@andrew-scott-fischer
Copy link
Contributor

andrew-scott-fischer commented Mar 21, 2025

ok, but then you should update the dependency, even if it's a transitive one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@margueriteblair margueriteblair Awaiting requested review from margueriteblair margueriteblair was automatically assigned from BitGo/wallet-platform

@pengyuc-bitgo pengyuc-bitgo Awaiting requested review from pengyuc-bitgo pengyuc-bitgo was automatically assigned from BitGo/wallet-platform

@andrew-scott-fischer andrew-scott-fischer Awaiting requested review from andrew-scott-fischer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mohammadalfaiyazbitgo @andrew-scott-fischer