More and more security warnings - is Observable Framework actually being maintained anymore?

[dkrasne]

As several recent open issues have indicated, npm and GitHub's dependabot are flagging more and more security issues with the packages that Observable Framework relies on, many of which have actually been fixed in those packages. There hasn't, as far as I can see from commit dates on GitHub, been any updating of the code for the last 11 months. I know that the Observable team is really excited about their new AI canvases, but not all projects use AI (or even want to), and Framework is a phenomenal tool that should at least be properly maintained even if no further development is happening. Please please please at least do a health check on it a couple of times per year!
@Fil @mbostock

[mbostock]

Dependabot (primarily) checks the yarn.lock for dependencies, however the yarn.lock does not control what version is installed when you install Observable Framework — instead the package.json controls that. In practice this means that Dependabot checks are typically noise and you should not assume that they are active security issues with Framework. We should probably disable Dependabot.

For example if you look at https://github.com/observablehq/framework/security/dependabot/21, it says that form-data needs a critical update. The form-data package is in our yarn.lock for two reasons:

1. We have a dependency on jsdom ^23.2.0 which depends on form-data ^4.0.0.
2. We have a dev dependency on chai-http ^4.4.0 which depends on superagent ^8.0.9 which depends on form-data ^4.0.0.

The chai-http path is irrelevant because we only use chai-http for testing; dev dependencies are not installed when you install Framework. Since the jsdom dependency depends on form-data ^4.0.0, the fixed version of form-data 4.0.4 (and the current version 4.0.5) will satisfy this range. Hence this “critical” alert is a non-issue for users of Framework; if you install Framework now, you will already get the version of form-data that fixes the issue.

(In many cases, these security issues even in the affected versions are irrelevant. I will not investigate the specific merit of every issue, but for example ReDoS security issues are very commonly reported and are typically only relevant if you accept untrusted input. Observable Framework is a static site generator and typically compiles only trusted input.)

We are still maintaining this repo even though we are not developing new features and recommend that users migrate to Notebook Kit (Notebooks 2.0); see related discussion. Closing spurious Dependabot alerts is not a high priority for us, but if there are legitimate issues that need maintenance, please let us know.

[mbostock]

I’ve published a new release with updated dependencies. The upgrades to tar and esbuild are notable because they are in the package.json, not just the yarn.lock. Thanks for the prod.