The mason-js dependency is unmaintained and frozen, but still currently used inside of vtcomposite. It has been unmaintained since 2018. For a while it seemed like mason-js would again see maintenance (enough that security issues related to out-of-date binaries and mason-js JS dependencies could be mitigated). But, in effect, mason-js not been maintained since 2018 and therefore I think it is critical to acknowledge this and take action downstream (here).
So, my recommendation is to remove the dependence on mason-js in vtcomposite.
To do this would involve:
- Removing
mason-js from
|
"@mapbox/mason-js": "^0.1.5" |
- Removing the
mason-versions.ini
- Implementing an alternative method for fetching up to date and reliable versions of dependencies that are currently being installed by
mason-js
The
mason-jsdependency is unmaintained and frozen, but still currently used inside ofvtcomposite. It has been unmaintained since 2018. For a while it seemed likemason-jswould again see maintenance (enough that security issues related to out-of-date binaries andmason-jsJS dependencies could be mitigated). But, in effect,mason-jsnot been maintained since 2018 and therefore I think it is critical to acknowledge this and take action downstream (here).So, my recommendation is to remove the dependence on
mason-jsinvtcomposite.To do this would involve:
mason-jsfromvtcomposite/package.json
Line 20 in ffdea5a
mason-versions.inimason-js