Need a special offer?Find out if your project fits.
+

Retire.js security vulnerability - jQuery 2.1.4

Answered
Daniel Rutledge asked on September 25, 2020

Hello, we run our projects through the Retire.js vulnerability list (https://retirejs.github.io/retire.js/), and the Flexmonster npm package (2.7.13) was flagged as having jQuery 2.1.4 as a medium-vulnerability dependency.
I'm not concerned from a security standpoint, as we don't use the jQuery integration, but is there a way to control or exclude this source from the package. I asked some time ago about the possibility of a slimmed-down npm package that doesn't include all of the integrations and charting that we don't actively use.

5 answers

Public
Mykhailo Halaida Mykhailo Halaida Flexmonster September 28, 2020

Hi Daniel,
 
Thank you for posting your question.
 
Please note that as of right now Flexmonster does not use the jQuery dependency in any way – we'd suggest checking whether jQuery is added to the page with imports other than Flexmonster.
 
Addressing your mention of a slimmed-down Flexmonster package – as we've said earlier, it has been added to our backlog and we will let you know in case there are any updates on this.
 
Please let us know if you have any other questions we can help you with.
 
Regards,
Mykhailo

Public
Mykhailo Halaida Mykhailo Halaida Flexmonster October 5, 2020

Hi Daniel,
 
How are you?
 
We were wondering if you've had a chance to check out our previous response. Have you managed to find the cause of the mentioned issue?
 
We would be happy to hear your feedback.
 
Best regards,
Mykhailo

Public
Mykhailo Halaida Mykhailo Halaida Flexmonster October 14, 2020

Hi Daniel,
 
Hope you're doing well.
 
Just checking in to ask if you've managed to resolve the initial issue. 
 
Please let us know if there's still anything we can assist you with here.
 
Regards,
Mykhailo

Public
Daniel Rutledge October 14, 2020

This issue can be closed; it looks like the security tool was picking up something it shouldn't.
 
Any updates on the slimmed down package would be appreciated!

Public
Mykhailo Halaida Mykhailo Halaida Flexmonster October 15, 2020

Daniel,
 
Thank you for the follow-up, we're glad to hear it's been sorted out!
 
Regarding the slimmed-down package, as promised, will inform you in case there is anything new about this.
 
Have a great day ahead!
 
Kind regards,
Mykhailo

Please login or Register to Submit Answer