We have library imports that are forks, for example dom/media/webaudio/blink, as the README file explains. That should probably be removed from that list.
On 2017-03-17 2:30 PM, Tom Ritter wrote: > As part of a broader initiative to perform a security review of the > third party libraries we use, there is now a semi-automated service > that can file bugs when upstream libraries are newer than the one we > embed. > > Closely tracking upstream can ensure we don't inherit publicly known > vulnerabilities. That's bitten us in the past and indeed during the > initial filing of bugs, we identified a few outstanding ones. And it > can bring in speed and performance improvements, and new features. > > The initial cut of the tool has been focused on libraries that we > embed in mozilla-central (:arroway found a ton of them) but we don't > think the list is complete. If you're a maintainer of a library, > please please please confirm we are tracking your library. Check out > https://github.com/mozilla-services/third-party-library-alert/blob/master/libraries.json > and search for your library - if you don't see it there (and I haven't > emailed you about it) we don't know about it and we want to both know > about it and add it into this service. > > However, there's no reason it has to be focused on mozilla-central - > we'd be happy to track stuff for the multitude of people building > stuff outside -central too. So if it's useful to you, let me know! And > it doesn't have to be an entire library, we can track commits on > individual source files inside of a larger repository also. > > Also: If you do see your library there, and you would like any bugs > filed for it to do something special (e.g. block a specific tracking > bug, cc you, whatever) again please reach out. > > Finally, it would be great if, going forward, when we add a new > library to the tree we immediately add it into this tool. So if you're > doing review and see someone adding a library, or even just excerpts > from a library - ask them to add it in (or ask them to ask me to add > it in.) > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
