Static-eval security issue reported by npm audit

[goldengecko]

To reproduce, install plotly.js in a project, and run npm audit.

Expected outcome: no security issues.
Actual outcome: reports an issue due to the version of static-eval linked to in the package.
Fix: update the static-eval version to >= 2.0.2. See https://www.npmjs.com/advisories/758

There are 16 security alerts generated, but they all refer to the same issue, as shown in the attached image.

[etpinard]

Duplicate of scijs/cwise#19

[Ionaru]

@etpinard You are referring to an issue that is 2 years old, the PR ( scijs/cwise#25 ) that is meant to fix the security vulnerability has had no meaningful update or discussion since Jul 25, 2019.

At this point I think it's fair to assume the vulnerability will not be fixed at cwise's side, and I suggest looking into alternatives.

[stephanvierkant]

Why is this issue closed? There are still security issues with cwise.

They may not cause direct issues with this repo, but at some point a non-maintained dependency with security issues should be fixed or replaced.

[nicolaskruchten]

We're tracking this in #4796 now :)