Currently the Graph extension has dependencies on the d3 and Vega libraries. These are currently static files inside the code repository meaning anyone can edit them or swap them out with untrusted / unaudited files.
TODO
- These libraries should be managed by a foreign-resources.yaml file. It should be possible to run a script and verify the files match the published versions.
- The Growth team has a more modern custom d3.js build that has gone through a security review. We should use that if possible.
- Update to Vega 5.25 which has the latest ES5 build.
- Vega includes D3 so there is no need to provide our own D3 library.
Sign off notes
Opened T335519 for followed up work.
Notes
Formerly considered blocked on T330508