Speccy uses dompurify with XSS vulnerability

[riderjensen]

Thought I would bring this up here as Speccy is a dead repo (last updated 3 years ago). It looks like Speccy is being used here and the latest version of Speccy is using an older version of redoc which is using a bad version of dompurify according to snyk .

Wondering what are thoughts around removing speccy from the repo?

[cebe]

it is used in the CI pipeline to compare whether specs that are valid in speccy are valid here too, so I'm not very concerned about any XSS in it. However I'm open to replace it with a more up to date tooling from the JS world.

[vvanpo]

@cebe even though the JavaScript dependency is not included in the release tarball, the presence of the yarn.lock file causes security scanning tools like Snyk to report a critical vulnerability (since it can be configured to crawl the a project after installing all Composer dependencies, looking for dependency manifests like yarn.lock). Would it be possible to package and release php-openapi without the yarn.lock file present?

[cebe]

As far as I remember that is possible by adding a .gitattributes file to exclude files like that, e.g. https://github.com/cebe/markdown/blob/2b2461bed9e15305486319ee552bafca75d1cdaa/.gitattributes

Happy to merge a PR that adds one.

[cebe]

However I'm open to replace it with a more up to date tooling from the JS world.

https://openapi.tools/#description-validators

[philsturgeon]

Hey hey! I made Speccy and it got trapped and promptly abandoned at WeWork when I left. Spectral is the successor, it does severything Speccy did and a million times more. https://github.com/stoplightio/spectral/