snyk added a dependency rather than a devDependency

YuriGor / deepdash

eachDeep, filterDeep, findDeep, someDeep, omitDeep, pickDeep, keysDeep etc.. Tree traversal library written in Underscore/Lodash fashion

https://deepdash.io/

MIT License

274 stars 12 forks source link

snyk added a dependency rather than a devDependency #31

Closed jedrichards closed 5 years ago

jedrichards commented 5 years ago

Thanks for enabling synk to protect your deps, but I'm guessing it should rather be added as a devDependency, i.e. since it's never used at runtime all your package consumers shouldn't be forced to download it into their node_modules.

https://github.com/YuriGor/deepdash/blob/master/package.json#L85

YuriGor commented 5 years ago

Hi! Thank you for pointing me to this, you are probably right, I need to dig into this a bit deeper.

I've only accepted a PR generated by Snyk web app, and I have no idea what's the magic is behind, so I need to read some mans and test it before changing.

jedrichards commented 5 years ago

I suppose snyk is safely added to an app/end-product as a dependency, in that case you're not expecting others to npm install it. But perhaps different story if adding to a library. Anyway, just wanted to give you heads up. Cheers!

YuriGor commented 5 years ago

Ok, thank you, I'll take a look as soon as I'll have a free minute.

YuriGor commented 5 years ago

Done in v4.2.14