Depends on vulnerable versions of three #244
Comments
|
|
|
I'm not seeing that many vulnerabilities. When running Looking at the advisory, I'm not sure if it really applies here. We never call Also, it seems like versions newer than the one that we use have removed some of the files that we depend upon and like means that updating is a non-trivial task. Unfortunately, we don't really have much bandwidth to look into this. If someone is able to take a look and figure out how to update things, we'd be incredibly grateful. |
|
Decided most expedient way of fixing this is by vendoring the files. See #247 |
Copy the example files we depended on from an older version of threejs into a vendor directory and apply the rollup replace pieces directly to it. This allows us to update to a newer version of threejs so that npm audit --production no longer produces any issues. We can't upgrade to newer versions of threejs until we update our tooling and likely start transpiling threejs as well, because by default it starts including new JS features in the build files. Fixes #244.
|
I've published this as 1.10.0. It's tagged |
|
I tested this with a 360° video in equirectangular format, it works. I noticed these warnings in the console - which might or might not be an issue for unrelated functionality of this plugin:
|
npm audit gives below error
three <0.125.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1639
No fix available
node_modules/three
videojs-vr *
Depends on vulnerable versions of three
node_modules/videojs-vr
version installed "videojs-vr": "^1.8.0",
The text was updated successfully, but these errors were encountered: