remove string module dependency

[dlong500]

Given that it appears the string module on npm has been abandoned, has some regex DOS security issues, and that is seems to only be used in one index.js file in this package, it might be best to find an alternative.

See jprichardson/string.js#212 (comment)

NPM is currently flagging jsreport-core in its security auditing due to script-manager's dependency on string.

[pofider]

Would this satisfy you?
https://forum.jsreport.net/topic/647/redos-vulnerability-in-script-manager

[dlong500]

I do understand that there is not anything that currently appears to affect the security of jsreport in this context. The issue is more about the spam constantly generated because of npm audit warnings. In this particular situation, since you are only using one call to startswith and the minimum supported node version is now 4.x I'm pretty sure you can just use the built-in String prototype startswith directly and eliminate the string module dependency altogether.

[pofider]

Yes makes sense. Don't you want to send a PR with it? I would publish new version then.

[dlong500]

Sure, I'll do that when I can get back in town in a few days. Thanks.

[pofider]

We removed it some time ago.
There are 0 vulnerabilities in whole jsreport currently.