Upgraded bower to 1.8.8 and grunt-groc to 0.7.1

[rocklan]

This is a fix for #28 and fixes the bower dependency issue. Unfortunately, it looks like grunt-groc has a dependency tree of grunt-groc > groc > jade > constantinople, and the version of constantinople referenced has a critical security vulnerability https://www.npmjs.com/advisories/568. It looks like grunt-groc has a pull request for this - jdcataldo/grunt-groc#22 - but I think grunt-groc isn't being maintained anymore. I'm not sure if grunt-groc is needed or how to replace it, I'll have a look at it a bit later if I can.

I can't test this fix properly - it's not building on my mac and the tests don't run on windows, but I'm pretty sure it should continue to work ok.

I agree with @kwwall - unless this vuln can be fixed, I would stick up a "Do NOT use!" warning unless someone more experienced than me can fix it.

[xeno6696]

<!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; font-size:11.0pt; font-family:"Calibri",sans-serif;} h4 {mso-style-priority:9; mso-style-link:"Heading 4 Char"; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Calibri",sans-serif; font-weight:bold;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} code {mso-style-priority:99; font-family:"Courier New";} span.Heading4Char {mso-style-name:"Heading 4 Char"; mso-style-priority:9; mso-style-link:"Heading 4"; font-family:"Calibri",sans-serif; font-weight:bold;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:380372540; mso-list-template-ids:-1;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Symbol;} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:1.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:"Courier New"; mso-bidi-font-family:"Times New Roman";} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:1.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1 {mso-list-id:1705256027; mso-list-template-ids:-1;} @list l1:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Symbol;} @list l1:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:1.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:"Courier New"; mso-bidi-font-family:"Times New Roman";} @list l1:level3 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:1.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level4 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level5 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level6 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level7 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level8 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l1:level9 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2 {mso-list-id:2101290313; mso-list-template-ids:-1;} @list l2:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Symbol;} @list l2:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:1.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:"Courier New"; mso-bidi-font-family:"Times New Roman";} @list l2:level3 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:1.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level4 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level5 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:2.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level6 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level7 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:3.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level8 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.0in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} @list l2:level9 {mso-level-number-format:bullet; mso-level-text:\F0A7; mso-level-tab-stop:4.5in; mso-level-number-position:left; text-indent:-.25in; mso-ansi-font-size:10.0pt; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} -->How important is the grunt-groc task?  It sounds to me like that particular library is unique to the grunt build process and won’t be included in the final package? Sent from Mail for Windows 10 From: Lachlan BarclaySent: Wednesday, August 5, 2020 6:13 PMTo: ESAPI/owasp-esapi-jsCc: SubscribedSubject: [ESAPI/owasp-esapi-js] Upgraded bower to 1.8.8 and grunt-groc to 0.7.1 (#29) This is a fix for #28 and fixes the bower dependency issue. Unfortunately, it looks like grunt-groc has a dependency tree of grunt-groc > groc > jade > constantinople, and the version of constantinople referenced has a critical security vulnerability https://www.npmjs.com/advisories/568. It looks like grunt-groc has a pull request for this - jdcataldo/grunt-groc#22 - but I think grunt-groc isn't being maintained anymore. I'm not sure if grunt-groc is needed or how to replace it, I'll have a look at it a bit later if I can.I can't test this fix properly - it's not building on my mac and the tests don't run on windows, but I'm pretty sure it should continue to work ok.I agree with @kwwall - unless this vuln can be fixed, I would stick up a "Do NOT use!" warning unless someone more experienced than me can fix it.You can view, comment on, or merge this pull request online at:  https://github.com/ESAPI/owasp-esapi-js/pull/29Commit SummaryUpgraded bower to 1.8.8 and grunt-groc to 0.7.1File ChangesM dist/ESAPI.js (4) M dist/ESAPI.min.js (4) M package.json (4) Patch Links:#29.patchhttps://github.com/ESAPI/owasp-esapi-js/pull/29.diff—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe. 

[rocklan]

How important is the grunt-groc task? It sounds to me like that particular library is unique to the grunt build process and won’t be included in the final package?

I'm really not sure. Need to get someone who is more familiar with npm+grunt than me.

[deveras]

Groc: A simple grunt task to generate a project's documentation using Groc
https://github.com/ESAPI/owasp-esapi-js/blob/master/tasks/groc.js holds the task that listens to any files under /lib (which I didn't seen in the project) and will output to a /docs folder. Perhaps "David Morse" can add the reasoning behind it.

[xeno6696]

I would say based on Andre's comment that this wouldn't block the lib from moving forward. I can live with a CVE introduced that affects only the build environment of a library and remains local.

…

On Thu, Aug 6, 2020 at 4:17 AM André R. Ferreira ***@***.***> wrote: Groc: A simple grunt task to generate a project's documentation using Groc https://github.com/ESAPI/owasp-esapi-js/blob/master/tasks/groc.js holds the task that listens to any files under /lib (which I didn't seen in the project) and will output to a /docs folder. Perhaps "David Morse" can add the reasoning behind it. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#29 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACIQAQJSQEYI63CBHL52WI3R7KGMXANCNFSM4PWCHH6A> .

-- Matt Seil Cyber Security Software Engineer Member ACM/OWASP

[kwwall]

@chrisisbeef - This is your project and know one that I've found knows about the deployment. If we can't get this fixed, I am seriously considering updating the README.md to say "Do not use" and then 'archiving this repository' so that it is read-only. So, can you please respond? Thanks.

[chrisisbeef]

Hey guys - this project is woefully out of date at this point (having gone through and reviewed a lot of this code) and I think honestly the best course of action would be to EoL the project completely. There are much better solutions that are provided by most modern frameworks to handle this on the client-side IMO.

[kwwall]

Leaving this PR open in case someone volunteers to take this repo over and get it working.
@chrisisbeef - Recommend you deprecate this by running the appropriate 'npm deprecate' command as outlined in my email. (I am not the owner and therefore cannot do that.)

I am now going to officially archive this GitHub repo.