asked on September 25, 2020
Hello, we run our projects through the Retire.js vulnerability list (https://retirejs.github.io/retire.js/), and the Flexmonster npm package (2.7.13) was flagged as having jQuery 2.1.4 as a medium-vulnerability dependency.
I'm not concerned from a security standpoint, as we don't use the jQuery integration, but is there a way to control or exclude this source from the package. I asked some time ago about the possibility of a slimmed-down npm package that doesn't include all of the integrations and charting that we don't actively use.
⋅ September 28, 2020
Hi Daniel,
Thank you for posting your question.
Please note that as of right now Flexmonster does not use the jQuery dependency in any way – we'd suggest checking whether jQuery is added to the page with imports other than Flexmonster.
Addressing your mention of a slimmed-down Flexmonster package – as we've said earlier, it has been added to our backlog and we will let you know in case there are any updates on this.
Please let us know if you have any other questions we can help you with.
Regards,
Mykhailo
⋅ October 5, 2020
Hi Daniel,
How are you?
We were wondering if you've had a chance to check out our previous response. Have you managed to find the cause of the mentioned issue?
We would be happy to hear your feedback.
Best regards,
Mykhailo
⋅ October 14, 2020
Hi Daniel,
Hope you're doing well.
Just checking in to ask if you've managed to resolve the initial issue.
Please let us know if there's still anything we can assist you with here.
Regards,
Mykhailo
⋅ October 14, 2020
This issue can be closed; it looks like the security tool was picking up something it shouldn't.
Any updates on the slimmed down package would be appreciated!
⋅ October 15, 2020
Daniel,
Thank you for the follow-up, we're glad to hear it's been sorted out!
Regarding the slimmed-down package, as promised, will inform you in case there is anything new about this.
Have a great day ahead!
Kind regards,
Mykhailo
