Hi all,
I'm pretty new here, and I defo love Joplin's core idea and the direction it's taken. Great work on putting this together! But before I fully switch to it, there's still something that I can't figure out - what is the project direction WRT keeping a secure code development and a safe list of dependencies.
In terms of dependencies, I tried to run a local `grype` on the git tag v3.7.8 which brought up a huge list of vulnerable packages in the SBOM. I read in an old README that the plan was to replace occasional `npm audit fix`, this is great, but looking at the renovate config it seems that the list of exceptions is pretty large and the wait for even patch versions is 90d. I understand the rationale behind that as to ensure code stability, but how do you assess if anything needs to be updated faster? How frequently do you do it?
In terms of secure code, does the project has guidelines and controls to ensure these are respected to ensure the contributors are adhering to that?
Again I really like this project, I would just like to get some clarification about it's security direction (or see if I can contribute to it).
Thanks in advance for your clarification!