Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated and minified jQuery to v3.3.1.min.js (fix for #195) #205

Closed
wants to merge 1 commit into from
Closed

Updated and minified jQuery to v3.3.1.min.js (fix for #195) #205

wants to merge 1 commit into from

Conversation

eloarr
Copy link

@eloarr eloarr commented Mar 16, 2019

Fixes issue #195
Passes retirejs scan (version 2.0.2).

@vlaraort
Copy link

vlaraort commented Apr 3, 2019

I am really waiting this, but it's the project still maintained? there is no commits to master since 2017

@kowalk
Copy link

kowalk commented Jul 16, 2019

@bgrins bump

@kowalk
Copy link

kowalk commented Jul 25, 2019

@bgrins anybody here?

@vlaraort
Copy link

Still no news?

@eloarr
Copy link
Author

eloarr commented Sep 22, 2019

Alas, none.

@RB-Develop
Copy link

I'm also in need of this fix. Hope it goes through.

@L2jLiga L2jLiga mentioned this pull request Jun 13, 2020
Closed
@xiel
Copy link

xiel commented Aug 28, 2020

I was getting vulnerability alerts for the included outdated jQuery version as well in WhiteSource.

Because the maintainer is not responding for a while, I published a version without jQuery, demo & test folder:
https://www.npmjs.com/package/tinycolor2-without-jquery
https://unpkg.com/browse/tinycolor2-without-jquery@1.4.1/

You can make yarn pick it up instead of the original by using resolutions in your package.json:

"resolutions": {
  "tinycolor2": "https://registry.npmjs.org/tinycolor2-without-jquery/-/tinycolor2-without-jquery-1.4.1.tgz"
}

Cheers,
– Felix

@xiel xiel mentioned this pull request Aug 28, 2020
Open
@bgrins
Copy link
Owner

bgrins commented Sep 18, 2020

Sorry for missing this - I went ahead and removed the jquery dependency on the demo in 250a1e2.

@bgrins bgrins closed this Sep 18, 2020
@takwas
Copy link

takwas commented Sep 25, 2020

@bgrins: Thank you for making the fix. Howbeit, could confirm whether you intend upon making a release of this latest version to npm soon?

@bgrins
Copy link
Owner

bgrins commented Sep 25, 2020

@bgrins: Thank you for making the fix. Howbeit, could confirm whether you intend upon making a release of this latest version to npm soon?

It shouldn't need a release since the main script file hasn't been touched. jQuery has never been used with the library - only the demo HTML page.

@xiel
Copy link

xiel commented Sep 25, 2020
edited
Loading

@bgrins the problem is, your package includes jQuery also on npm. This is what security scans pick up on, see:
https://unpkg.com/browse/tinycolor2@1.4.1/demo/

so yes, a republish with a patch version is very much needed. The demo code should probably never ended up in npm, but it did

@takwas
Copy link

takwas commented Sep 25, 2020

@xiel: You beat me to it. That's my point exactly.

@bgrins
Copy link
Owner

bgrins commented Sep 25, 2020

OK, thank you both for the heads up. Let me see about restricting what gets published to npm and get a new version up.

@bgrins
Copy link
Owner

bgrins commented Sep 25, 2020

Alright, 1.4.2 has been published: https://www.npmjs.com/package/tinycolor2/v/1.4.2

@takwas
Copy link

takwas commented Sep 26, 2020

Awesome stuff! Thank you.

@FrissAnalytics FrissAnalytics mentioned this pull request Oct 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@eloarr @vlaraort @kowalk @RB-Develop @xiel @bgrins @takwas