replacing deprecated optional dependency libxmljs2
#1079
Comments
|
The library
An hour ago, the optional dependency This means, a replacement must be found. I will work on this topic eventually.
Sure, just use |
jkowalleck
added
enhancement
jkowalleck
changed the title
libxmljs2
|
Thanks! And sorry for the somewhat early issue creation, I thought it might have been useful of having an issue for everyone to see/found if the repo was deleted permanently 🙇 Just to add a bit of follow-up: It seems that indeed the libxmljs2 is now accessible again (cf: restore) with a deprecation message; which should let everyone a bit more leeway to transition to something else (and/or to fork that repo). In my case, the library was installed/build on all my CI jobs, including some of them not having the necessary tools to build the binaries from source (which was problematic until the repo was restored). But since "BOM generation" happens in its own small job, the library should only be install/build there and having a CI image capable of doing this should be fairly easy. 🙇 |
|
this is considered a breaking change for the following reasons: |
|
https://www.npmjs.com/package/xmlschema.js looks promising - from the projects description. I contacted the author, @paulwardrip, to find out what is going on and gather more insight. |
in preparation to a possible change or addition of optioanl dependencies. see #1079 --------- Signed-off-by: Jan Kowalleck <[email protected]>
|
I've refactored some internals; now, it should be easy to write code to allow an alternative to cyclonedx-javascript-library/src/_optPlug.node/xmlValidator.ts Lines 26 to 31 in 48cbc02 pullrequests welcome! |
|
this issue is flagged "help wanted". |
|
Looking around, I found a comment in the libxmljs repo pointing to https://github.com/jameslan/libxml2-wasm, could this be a possible replacement? I'm not really familiar in the typescript/javascript world, but it seems to be able to validate and is being maintained. |
Due to libxmljs2 not being maintained and contains a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML. The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects. This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome. Resolves: CycloneDX#1079
Due to libxmljs2 not being maintained and contained a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML. The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects. This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome. Resolves: CycloneDX#1079 Signed-off-by: Leon Grave <[email protected]>
Due to libxmljs2 not being maintained and contained a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML. The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects. This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome. Resolves: CycloneDX#1079 Signed-off-by: Leon Grave <[email protected]>
Due to libxmljs2 not being maintained and contains a vulnerability, a replacement needed to be found. This commit replaces it with libxml2-wasm, which is a new, but maintained library, which serves the purpose of validating XML. The implementation is as close the the previous library in regards to flags passed to libxml2, but only adapted to a different interface and the recommendation to dispose all objects. This is my first contribution to this project, and typescript isn't my usual language, so comments are welcome. Resolves: CycloneDX#1079 Signed-off-by: Leon Grave <[email protected]>
The libxmljs2 seems to be trying to download some files from its Github repository in its "install"/"build" (trough node-gyp, if I understand properly).
But it looks like the repository has been deleted recently, maybe after a CSV declaration that was partly covered in this issue; making installations that are trying to download the binaries fail if they do not have the ability to build the library as a fallback.
Since the repository has been deleted, it might be a sign that no further development/support will be made for that library and relying on it in the long run might be difficult nontheless?
Could a replacement or removal of the library be considered? In the meantime, not using the library or not executing its "build", or adjusting CI configurations in order for build to succeed from source, might be workable fallbacks for users of cyclonedx-javascript-library?
The text was updated successfully, but these errors were encountered: