timmorey
commented
1 year ago @snewcomer any chance this could get a review and release? Preferably with a patch version bump only (1.3.5), so this can slide into our transitive dependencies without having to update references in consuming packages.
We've been getting misleading security reports about vulnerabilities in our dependency chain under this package, but it doesn't look like those things actually need to be
dependencies. In particular, thenpmdependency pulls in a version ofsemvervulnerable to https://nvd.nist.gov/vuln/detail/CVE-2022-25883.While I don't believe this package really exposes our users to that vulnerability, I'd rather clean up the package than argue with our security team. This should also marginally improve install speed and reduce bloat where this package is used.
These dependencies were added with https://github.com/validated-changeset/validated-changeset/pull/169, and @ungap/structured-clone is a legitimate dependency. The @types package just needs to be listed as a dev dependency to get its goodness. I wasn't actually able to find any indication that the
ipackage is in use, but would be happy to add it back in if there is need.