Hello, we run our projects through the Retire.js vulnerability list (https://retirejs.github.io/retire.js/), and the Flexmonster npm package (2.7.13) was flagged as having jQuery 2.1.4 as a medium-vulnerability dependency.
I’m not concerned from a security standpoint, as we don’t use the jQuery integration, but is there a way to control or exclude this source from the package. I asked some time ago about the possibility of a slimmed-down npm package that doesn’t include all of the integrations and charting that we don’t actively use.
Thank you for posting your question.
Please note that as of right now Flexmonster does not use the jQuery dependency in any way – we’d suggest checking whether jQuery is added to the page with imports other than Flexmonster.
Addressing your mention of a slimmed-down Flexmonster package – as we’ve said earlier, it has been added to our backlog and we will let you know in case there are any updates on this.
Please let us know if you have any other questions we can help you with.
How are you?
We were wondering if you’ve had a chance to check out our previous response. Have you managed to find the cause of the mentioned issue?
We would be happy to hear your feedback.
Hope you’re doing well.
Just checking in to ask if you’ve managed to resolve the initial issue.
Please let us know if there’s still anything we can assist you with here.
This issue can be closed; it looks like the security tool was picking up something it shouldn’t.
Any updates on the slimmed down package would be appreciated!
Thank you for the follow-up, we’re glad to hear it’s been sorted out!
Regarding the slimmed-down package, as promised, will inform you in case there is anything new about this.
Have a great day ahead!