-
Notifications
You must be signed in to change notification settings - Fork 438
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated and minified jQuery to v3.3.1.min.js (fix for #195) #205
Conversation
I am really waiting this, but it's the project still maintained? there is no commits to master since 2017 |
@bgrins bump |
@bgrins anybody here? |
Still no news? |
Alas, none. |
I'm also in need of this fix. Hope it goes through. |
I was getting vulnerability alerts for the included outdated jQuery version as well in WhiteSource. Because the maintainer is not responding for a while, I published a version without jQuery, demo & test folder: You can make yarn pick it up instead of the original by using resolutions in your package.json: "resolutions": {
"tinycolor2": "https://registry.npmjs.org/tinycolor2-without-jquery/-/tinycolor2-without-jquery-1.4.1.tgz"
} Cheers, |
Sorry for missing this - I went ahead and removed the jquery dependency on the demo in 250a1e2. |
It shouldn't need a release since the main script file hasn't been touched. jQuery has never been used with the library - only the demo HTML page. |
@bgrins the problem is, your package includes jQuery also on npm. This is what security scans pick up on, see: so yes, a republish with a patch version is very much needed. The demo code should probably never ended up in npm, but it did |
@xiel: You beat me to it. That's my point exactly. |
OK, thank you both for the heads up. Let me see about restricting what gets published to npm and get a new version up. |
Alright, 1.4.2 has been published: https://www.npmjs.com/package/tinycolor2/v/1.4.2 |
Awesome stuff! Thank you. |
Fixes issue #195
Passes retirejs scan (version 2.0.2).