### Proposal Once Gemnasium can report all the vulnerabilities reported by [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) analyzer, the latter can be removed to reduce maintenance cost. ### Implementation plan - [x] update GitLab project (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86704) - [x] update docs to remove `retire.js` mentions: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/ - [x] remove `retire.js` from the Dependency Scanning CI template https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml and corresponding specs - [x] ~archive `retire.js` project~ - note: the decision to archive the project has been postponed so that the docker image can continue getting automatic rebuilds - [x] update [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) analyzer `README.md` to say that this project is no longer used and is slated to be archived. - [x] create issue to archive project - https://gitlab.com/gitlab-org/gitlab/-/issues/362242 - [x] remove tests and mentions of the analyzer from other projects - [x] specs in https://gitlab.com/gitlab-org/security-products/security-report-schemas - [x] support for templated job in https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/master/includes-dev/qa-dependency_scanning.yml - [x] update handbook page (https://about.gitlab.com/handbook/engineering/development/sec/secure/composition-analysis) (https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/104032) - [x] remove analyzer and upstream project from reaction rotation support list and links (e.g. vuln dashboard) - [x] remove analyzer mentions - [x] archive the `retire.js` mirror project https://gitlab.com/gitlab-org/security-products/dependencies/retire.js - [x] create removal announcement (which is a different yml than a deprecation)