On 2025-04-01 09:43:21 +0200 (+0200), Pierre Riteau wrote: [...]
I submitted a change to replace the minified apexcharts with the latest full version [1]. It needs to be tested because there could be major changes in apexcharts breaking blazar-dashboard. [...]
Longer term, it would be best if we can all work together to find a consistent workflow that avoids OpenStack projects embedding/vendoring random third-party libraries in their Git repositories. Skyline has a similar issue to tackle right now, which was very recently brought to light, and there's been long-running discussions in Horizon about how to get away from the xstatic package model which still has many of the same drawbacks. Ideally, these dependencies would be sourced at install (or at least build) time from their own upstream release artifacts either securely over the Internet or from locally-supplied copies. The OpenStack community lacks the resources and tooling to track and react to vulnerabilities in our dependencies. What's the plan for blazar-dashboard if there's a security vulnerability in apexcharts? How do we expect to find out that we're shipping an outdated, vulnerable version of it to our users? Do blazar-dashboard releases even document what version of apexcharts they include, and notify users that they're on their own keeping track of when and whether they should apply security fixes for it? Also see the long-standing TC resolution on Guidelines for Managing Releases of Binary Artifacts which points out many of these risks: https://governance.openstack.org/tc/resolutions/20170530-binary-artifacts.ht... -- Jeremy Stanley