Use of unmaintained dependency bluebird@3.7.2 in @stoplight/elements #2858
Description
Hi Stoplight team,
We are using @stoplight/elements in an enterprise production environment and noticed that it introduces bluebird@3.7.2 as a transitive dependency via the following chain:
@stoplight/elements
└─ @stoplight/http-spec
└─ @stoplight/json-schema-generator
└─ json-promise
└─ bluebird@3.7.2
While there are no publicly reported security vulnerabilities (CVE / GHSA / NVD) associated with Bluebird, the library has not been updated for several years and is increasingly being flagged by enterprise security scanners due to its maintenance status.
Context
There has been long-standing community discussion around the maintenance and future of Bluebird, including issues such as:
These discussions are often referenced by security and compliance teams when assessing dependency risk, even when no specific vulnerability is present.
Questions
- Are there any plans to remove or replace Bluebird?
- Is there any official guidance or published justification you can share to help address enterprise security and compliance concerns related to this dependency?