Open
Description
Thought I would bring this up here as Speccy is a dead repo (last updated 3 years ago). It looks like Speccy is being used here and the latest version of Speccy is using an older version of redoc which is using a bad version of dompurify according to snyk .
Wondering what are thoughts around removing speccy from the repo?
Metadata
Metadata
Assignees
Projects
Milestone
Relationships
Participants
Activity
cebe commentedon Mar 11, 2022
it is used in the CI pipeline to compare whether specs that are valid in speccy are valid here too, so I'm not very concerned about any XSS in it.
However I'm open to replace it with a more up to date tooling from the JS world.
vvanpo commentedon Apr 21, 2022
@cebe even though the JavaScript dependency is not included in the release tarball, the presence of the
yarn.lockfile causes security scanning tools like Snyk to report a critical vulnerability (since it can be configured to crawl the a project after installing all Composer dependencies, looking for dependency manifests likeyarn.lock). Would it be possible to package and releasephp-openapiwithout theyarn.lockfile present?cebe commentedon Apr 21, 2022
As far as I remember that is possible by adding a
.gitattributesfile to exclude files like that, e.g. https://github.com/cebe/markdown/blob/2b2461bed9e15305486319ee552bafca75d1cdaa/.gitattributesHappy to merge a PR that adds one.
cebe commentedon Apr 29, 2022
https://openapi.tools/#description-validators
philsturgeon commentedon Jun 23, 2022
Hey hey! I made Speccy and it got trapped and promptly abandoned at WeWork when I left. Spectral is the successor, it does severything Speccy did and a million times more. https://github.com/stoplightio/spectral/