Skip to content

Example page - Rocket Trajectory uses old version of charts.js which has high security vulnerability #2337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
scotroach opened this issue Oct 11, 2021 · 5 comments · Fixed by #2557
Closed

Example page - Rocket Trajectory uses old version of charts.js which has high security vulnerability #2337

scotroach opened this issue Oct 11, 2021 · 5 comments · Fixed by #2557
Labels
bug help wanted

Comments

@scotroach
Copy link

Example page: math.js | rocket trajectory optimization
Uses Chart.js 2.5.0
Which has a High Security Vulnerability (CVE-2020-7746)

Because of this, application security scanners are reporting Security Vulnerabilities because the sample pages are included in the npm packaging.
@josdejong
Copy link
Owner

Thanks for bringing this up. Makes sense to me to remove the examples and also the docs from the npm package: you can use the examples and docs from the website https://mathjs.org, and also from the git repo.

This will require changes in the script that generates the website, which is a gh-pages website. This currently copies the examples and docs from the npm package, see: https://github.com/josdejong/mathjs/blob/gh-pages/gulpfile.js

@josdejong josdejong added the bug label Oct 13, 2021
@josdejong
Copy link
Owner

Hm, I realize the website build script needs both the npm package (math.js bundle) and the docs and examples. That means we would need both the git repo and the npm package 🤔 . Maybe we need to install the repo as a git sub module or something.

Help to work this out would be welcome!

@anjanapr
Copy link

Is there any update on this issue?

@josdejong
Copy link
Owner

No, it's not yet picked up by anyone. Help would be welcome 😄

This was referenced May 6, 2022
Closed
Merged
josdejong added a commit that referenced this issue May 9, 2022
@josdejong
Fix #2337: remove examples and docs from npm package

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
f68fbec
@josdejong josdejong mentioned this issue May 9, 2022
Merged
@josdejong
Copy link
Owner

I've created two PR's to address this issue: #2555 and #2557. Feedback on the PR's would be welcome. If not I'll merge this in a few days or so.

josdejong added a commit that referenced this issue May 11, 2022
@josdejong
Fix/remove examples and docs from package (#2557)
10ea49e 
* Fix #2337: remove `examples` and `docs` from npm package

* Add `directories` property but only with the directories that are still in the npm package
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix/remove examples and docs from package josdejong/mathjs
3 participants
@josdejong @scotroach @anjanapr