Swap bootstrap-tagsinput to an alternative #8683
Replies: 3 comments 7 replies
-
In some areas of our fork, we are sing https://www.npmjs.com/package/slim-select Integration: |
Beta Was this translation helpful? Give feedback.
-
I just search where this is replaced, as far as I see, this is only being used by decidim-core/app/packs/src/decidim/input_tags.js which is only used by decidim-system/app/views/decidim/system/organizations/_file_upload_settings.erb. It's also in the decidim_app-design, but we can ignore that for now. I don't like having a dependency for only this section, maybe we can find an alternative implementation for this one where we don't replace a dependency with another dependency? (Just thinking out loud) |
Beta Was this translation helpful? Give feedback.
-
The JavaScript library that we use for tags,
bootstrap-tagsinput
, isn't maintained anymore: for the last 5 years it isn't receiving any commit in the main branch, it wasn't updated to Bootstrap 4 (released in 2018), and it has a security vulnerability.For mitigating the last issue, @alecslupu went ahead and proposed a fork (see #8672), but I don't like it as it doesn't have much traction:
So as I said there, I'm opening a discussion, so we can discuss alternatives.
Update for extra information about the vulnerability
This is what
dependabot
says:As far as I see, we're not using the
itemTitle
parameter, but still we have an unmaintained dependency that we should change.Beta Was this translation helpful? Give feedback.
All reactions