Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update package.json #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update package.json #1

wants to merge 1 commit into from

Conversation

stephenwaite
Copy link
Member

found this dependabot warning, what do you think @sjpadgett ?

creepin

@@ -24,7 +24,7 @@
"mocha": "^3.2.0"
},
"dependencies": {
"xmldom": "0.5.0",
"xmldom": "0.7.7",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"@xmldom/xmldom": "0.7.7"

This is one of those very concerning version updates. Looking at change logs the access to module was changed at v0.6.0. Some sort of tiff I guess but the most concerning is that xmldom is widely used in openemr. HTMLPurifier, Bootstrap, jQuery, lforms, ckeditor and angular-sanitize!

I don't understand if our package import is the same dependency used by these other projects and why we included in the first place. We'd need to do a git search to get to bottom of that but if indeed xmldom is a dependency of above projects, were we required to include or was it included as npm dependency when including Bootstrap let's say?

Whatever the case, in this instance we're damn if we do and damn if we don't. Meaning how far do we let projects updates lag behind?
We certainly need to test this well and I have updated my dev but, we all need to help test this or any package updates.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stephenwaite oh sorry didn't notice this is oe-cda-schematron package. ignore above and i'll try to test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants