Closed jonesworks closed 2 years ago
Hi, core-js comes a dependency via the reactR package (reactR::html_dependency_corejs()
), and is used to support old browsers like IE 11 and older versions of the RStudio IDE Viewer.
Karma is a test runner library, so I highly doubt core-js includes any part of Karma in its distributed JavaScript files. It's listed under devDependencies, which typically means it's a development-only dependency (although there's no 100% way to confirm without inspecting the distributed JavaScript): https://github.com/zloirock/core-js/blob/f96b8d8afaebda5f49ac213627218f841c8692b4/package.json#L10. But at least Snyk itself does not report any vulnerability with core-js 2.5.3: https://snyk.io/test/npm/core-js/2.5.3
I think this is a false positive, but if that's still an issue, you do have a few options:
htmltools::suppressDependencies("core-js")
to forcefully exclude the core-js dependency. You can put this anywhere in your HTML output, then confirm that core-js no longer appears in the final HTML. If you need to support IE 11 still, you can manually include a newer version of core-js.
library(reactable)
my_table <- reactable(iris)
html <- htmltools::tagList( htmltools::suppressDependencies("core-js"), my_table )
htmltools::save_html(html, "table.html")
- Ask https://github.com/react-R/reactR to update the version of core-js, which may have updated dependency versions and get by the false positive checks
reactable will probably stop including core-js by default soon-ish because IE 11 is EOL and recent RStudio versions no longer require it.
Thanks for your help!
Hi Greg,
Thanks so much for the awesome work! I love this package. Supporting documentation is top-notch too!
I had a quick question:
Let's say I create a table and save it as an html object:
This creates a folder in my working directory titled 'lib'.
Following this path: lib/core-js-2.5.3/package.json, I see a list of dependencies, one of which is Karma ^4.4.1. Github dependabot throws a warning about this package. (Here's relevant documentation: https://snyk.io/vuln/npm:karma@4.4.1)
But when I look at the 'package.json' file in your repo, I don't see Karma listed at all (https://github.com/glin/reactable/blob/0431e1c2de3250b054fc3bc281caf74359f2a68d/package.json).
Any idea what might be going on here? Perhaps you'd advise against saving tables as standalone html objects?
Any help would be much appreciated!
Chris