.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,37 @@
+<!--
+Questions:
+  https://groups.google.com/forum/#!forum/loopbackjs
+  https://gitter.im/strongloop/loopback
+Immediate support:
+  https://strongloop.com/api-connect-faqs/
+  https://strongloop.com/node-js/subscription-plans/
+-->
+
+# Description/Steps to reproduce
+
+<!--
+If feature: A description of the feature
+If bug: Steps to reproduce
+-->
+
+# Link to reproduction sandbox
+
+<!--
+Link to an app sandbox for reproduction
+
+Note: Failure to provide a sandbox application for reproduction purposes will result in the issue being closed.
+-->
+
+# Expected result
+
+<!--
+Also include actual results if bug
+-->
+
+# Additional information
+
+<!--
+Copy+paste the output of these two commands:
+  node -e 'console.log(process.platform, process.arch, process.versions.node)'
+  npm ls --prod --depth 0 | grep loopback
+-->

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,50 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-labels: bug
-
----
-
-<!-- 🚨 STOP 🚨 STOP 🚨 STOP 🚨
-
-HELP US HELP YOU, PLEASE
-- Do a quick search to avoid duplicate issues
-- Provide as much information as possible (reproduction sandbox, use case for features, etc.)
-- Consider using a more suitable venue for questions such as Stack Overflow, Gitter, etc.
-
-Please fill in the *entire* template below.
-
--->
-
-## Steps to reproduce
-
-<!-- Describe how to reproduce the issue -->
-
-## Current Behavior
-
-<!-- Describe the observed result -->
-
-## Expected Behavior
-
-<!-- Describe what did you expect instead, what is the desired outcome? -->
-
-## Link to reproduction sandbox
-
-<!--
-See https://loopback.io/doc/en/contrib/Reporting-issues.html#loopback-3x-bugs
-Note: Failure to provide a sandbox application for reproduction purposes will result in the issue being closed.
--->
-
-## Additional information
-
-<!--
-Copy+paste the output of these two commands:
-  node -e 'console.log(process.platform, process.arch, process.versions.node)'
-  npm ls --prod --depth 0 | grep loopback
--->
-
-## Related Issues
-
-<!-- Did you find other bugs that looked similar? -->
-
-_See [Reporting Issues](http://loopback.io/doc/en/contrib/Reporting-issues.html) for more tips on writing good issues_

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,25 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-labels: feature
-
----
-
-## Suggestion
-
-<!-- A summary of what you'd like to see added or changed -->
-
-## Use Cases
-
-<!--
-What do you want to use this for?
-What shortcomings exist with current approaches?
--->
-
-## Examples
-
-<!-- Show how this would be used and what the behavior would be -->
-
-## Acceptance criteria
-
-TBD - will be filled by the team.

.github/ISSUE_TEMPLATE/Question.md

@@ -1,27 +0,0 @@
----
-name: Question
-about: The issue tracker is not for questions. Please use Stack Overflow or other resources for help.
-labels: question
-
----
-
-<!-- 🚨 STOP 🚨 STOP 🚨 STOP 🚨
-
-THE ISSUE TRACKER IS NOT FOR QUESTIONS.
-
-DO NOT CREATE A NEW ISSUE TO ASK A QUESTION.
-
-Please use one of the following resources for help:
-
-**Questions**
-
-- https://stackoverflow.com/tags/loopbackjs
-- https://groups.google.com/forum/#!forum/loopbackjs
-- https://gitter.im/strongloop/loopback
-
-**Immediate support**
-
-- https://strongloop.com/api-connect-faqs/
-- https://strongloop.com/node-js/subscription-plans/
-
--->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,11 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Report a security vulnerability
-    url: https://loopback.io/doc/en/contrib/Reporting-issues.html#security-issues
-    about: Do not report security vulnerabilities using GitHub issues. Please send an email to `reachsl@us.ibm.com` instead.
-  - name: Get help on StackOverflow
-    url: https://stackoverflow.com/tags/loopbackjs
-    about: Please ask and answer questions on StackOverflow.
-  - name: Join our mailing list
-    url: https://groups.google.com/forum/#!forum/loopbackjs
-    about: You can also post your question to our mailing list.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,25 @@
+### Description
+
+
+#### Related issues
+
 <!--
-Please provide a high-level description of the changes made by your pull request.
+Please use the following link syntaxes:
 
-Include references to all related GitHub issues and other pull requests, for example:
-
-Fixes #123
-Implements #254
-See also #23
+- connect to #49 (to reference issues in the current repository)
+- connect to strongloop/loopback#49 (to reference issues in another repository)
 -->
 
-## Checklist
+- connect to <link_to_referenced_issue>
 
-👉 [Read and sign the CLA (Contributor License Agreement)](https://cla.strongloop.com/agreements/strongloop/loopback-component-explorer) 👈
+### Checklist
+
+<!--
+- Please mark your choice with an "x" (i.e. [x], see
+https://github.com/blog/1375-task-lists-in-gfm-issues-pulls-comments)
+- PR's without test coverage will be closed.
+-->
 
-- [ ] `npm test` passes on your machine
 - [ ] New tests added or existing tests modified to cover all changes
-- [ ] Code conforms with the [style guide](https://loopback.io/doc/en/contrib/style-guide-es6.html)
-- [ ] Commit messages are following our [guidelines](https://loopback.io/doc/en/contrib/git-commit-messages.html)
+- [ ] Code conforms with the [style
+  guide](http://loopback.io/doc/en/contrib/style-guide.html)

.travis.yml

@@ -1,6 +1,6 @@
 sudo: false
 language: node_js
 node_js:
+  - "6"
   - "8"
   - "10"
-  - "12"

CHANGES.md

@@ -1,30 +1,4 @@
-2020-03-06, Version 6.5.1
-=========================
-
- * Update LTS status in README (Miroslav Bajtoš)
-
- * Cursor is made pointer of the add token button (Siraj Alam)
-
-
-2019-11-28, Version 6.5.0
-=========================
-
- * docs: describe GitHub advisory CVE-2019-17495 (Miroslav Bajtoš)
-
- * chore: improve README formatting (Miroslav Bajtoš)
-
- * Update README on swagger-ui (Diana Lau)
-
- * chore: improve issue and PR templates (Nora)
-
- * chore: add Node.js 12 to travis ci (Nora)
-
- * chore: drop support for Node.js 6 (Nora)
-
- * update LTS (Diana Lau)
-
-
-2019-05-09, Version 6.4.0
+2019-05-10, Version 6.4.0
 =========================
 
  * chore: update copyrights years (Agnes Lin)

README.md

@@ -1,15 +1,14 @@
 # loopback-component-explorer
 
-**⚠️ LoopBack 3 is in Maintenance LTS mode, only critical bugs and critical
-security fixes will be provided. (See
-[Module Long Term Support Policy](#module-long-term-support-policy) below.)**
+**This module is in Active LTS mode, new features are no longer accepted.**
+<br/>(See [Module Long Term Support Policy](#module-long-term-support-policy)
+below.)
 
-We urge all LoopBack 3 users to migrate their applications to LoopBack 4 as
-soon as possible. Refer to our
-[Migration Guide](https://loopback.io/doc/en/lb4/migration-overview.html)
+LoopBack 3 users looking for new features are encouraged to upgrade
+to LoopBack 4. Refer to
+[loopback-next#1849](https://github.com/strongloop/loopback-next/issues/1849)
 for more information on how to upgrade.
 
-
 ## Overview
 
 Browse and test your LoopBack app's APIs.
@@ -40,77 +39,6 @@ console.log("Explorer mounted at localhost:" + port + "/explorer");
 app.listen(port);
 ```
 
-## A note on swagger-ui vulnerabilities
-
-API Explorer for LoopBack 3 is built on top of `swagger-ui` version 2.x which
-is no longer maintained. While there are known security vulnerabilities in
-`swagger-ui`, we believe they don't affect LoopBack users.
-
-We would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but
-unfortunately such upgrade requires too much effort and more importantly
-addition of new features to LB3 runtime, which would break our LTS guarantees.
-For more details, see discussion in
-[loopback-component-explorer#263](https://github.com/strongloop/loopback-component-explorer/issues/263).
-
-### npm advisory 985
-
-Link: https://www.npmjs.com/advisories/985
-
-> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting
-> (XSS). The package fails to sanitize YAML files imported from URLs or
-> copied-pasted. This may allow attackers to execute arbitrary JavaScript.
-
-LoopBack's API Explorer does not allow clients to import swagger spec from YAML
-URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED**
-by this vulnerability.
-
-### npm advisory 975
-
-Link: https://www.npmjs.com/advisories/975
-
-> Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping.
-> The package uses `target='_blank'` in anchor tags, allowing attackers to
-> access `window.opener` for the original page. This is commonly used for
-> phishing attacks.
-
-This vulnerability affects anchor tags created from metadata provided by the
-Swagger spec, for example `info.termsOfServiceUrl`. LoopBack's API Explorer
-does not allow clients to provide custom swagger spec, URLs like
-`info.termsOfServiceUrl` are fully in control of the LoopBack application
-developer. That means loopback-component-explorer **IS NOT AFFECTED** by this
-vulnerability.
-
-### npm advisory 976
-
-Link: https://www.npmjs.com/advisories/976
-
-> Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting
-> (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which
-> may allow attackers to execute arbitrary JavaScript.
-
-LoopBack 3 API Explorer does not support OAuth auth flow, that means
-loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
-
-### GitHub advisory CVE-2019-17495
-
-Link: https://github.com/advisories/GHSA-c427-hjc3-wrfw
-> A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before
-> 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique
-> to perform CSS-based input field value exfiltration, such as exfiltration of
-> a CSRF token value.
-
-Quoting from the
-[disclosure](https://github.com/tarantula-team/CSS-injection-in-Swagger-UI/tree/15edeaaa5806aa8e83ee55d883f956a3c3573ac9):
-
-> We’ve observed that the `?url=` parameter in SwaggerUI allows an attacker to
-> override an otherwise hard-coded schema file.  We realize that Swagger UI
-> allows users to embed untrusted Json format from remote servers This means we
-> can inject json content via the GET parameter to victim Swagger UI.  etc.
-
-LoopBack 3 API Explorer does not suport `?url=` parameter, it always loads the
-Swagger spec file from the LoopBack server serving the Explorer UI. That means
-loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
-
 ## Upgrading from v1.x
 
 To upgrade your application using loopback-explorer version 1.x, just replace
@@ -267,7 +195,8 @@ Module Long Term Support (LTS)](http://github.com/CloudNativeJS/ModuleLTS) polic
 
 | Version | Status          | Published | EOL      |
 | ------- | --------------- | --------- | -------- |
-| 6.x     | Maintenance LTS | Apr 2018  | Dec 2020 |
-| 5.x     | End-of-Life     | Sep 2017  | Dec 2019 |
+| 6.x     | Active LTS      | Apr 2018  | Dec 2019 |
+| 5.x     | Maintenance LTS | Sep 2017  | Dec 2019 |
+| 4.x     | End-of-Life     | Dec 2016  | Apr 2019 |
 
 Learn more about our LTS plan in [docs](https://loopback.io/doc/en/contrib/Long-term-support.html).

package.json

@@ -1,9 +1,9 @@
 {
   "name": "loopback-component-explorer",
-  "version": "6.5.1",
+  "version": "6.4.0",
   "description": "Browse and test your LoopBack app's APIs",
   "engines": {
-    "node": ">=8.9"
+    "node": ">=6"
   },
   "main": "index.js",
   "scripts": {

public/css/loopbackStyles.css

@@ -34,7 +34,6 @@ body #header a#logo {
 
 body #header form#api_selector .input a#explore {
   background-color: #7dbd33 !important;
-  cursor: pointer;
 }