Bundled JS files in benchmarks directory trigger vulnerability findings

[dnnrly]

Problem statement

Vulnerability scanning tools are identifying CVEs in Javascript files, in the benchmarks directory of the project, even though they are cannot be used by projects that import this package as a dependency.

Analysis

The minify package that is published to Go proxies contains Javascript files from the benchmarks directory. Vulnerability scanners often work by downloading the zipped code from the package and scanning all of the code statically and checking the hashes of files against a database of known issues. The JS files under benchmarks have CVEs registered against them and therefore cause this package to be identified against those CVEs.

Possible solutions

1. (Preferred) Rename the benchmarks directory to _benchmarks - causing the directory to be ignored by the Go tooling and therefore not included in the packaged zip on Go proxy servers
2. Manually update the JS files to later versions - this doesn't solve the issue, just pushes the problem away until further CVEs are uncovered
3. Adopt a JS package management framework to provide an easier path to upgrading JS dependencies - this again defers the problem but also adds complexity of pulling the JS files out to perform the benchmarking tests

Analysis

Options 2 & 3 both have the problem that someone needs to perform the dependency update steps to pull in a version of the dep that does not have the vulnerability. It is possible that a CVE is open and no fix is available.

Preventing the scanners from being triggered in the first place feels like the right solution.

[tdewolff]

Thanks for the analysis, I've pushed through your suggestion.

[dnnrly]

Wow, that was fast! I don't suppose it's possible to get an official release with this change? 😄

[tdewolff]

Sure, I've released v2.21.3 ;-)