Dependencies: Saving a Table with htmltools

[jonesworks]

Hi Greg,

Thanks so much for the awesome work! I love this package. Supporting documentation is top-notch too!

I had a quick question:

Let's say I create a table and save it as an html object:

library(reactable) 

my_table <- reactable(iris)
htmltools::save_html(my_table, "table.html")

This creates a folder in my working directory titled 'lib'.

Following this path: lib/core-js-2.5.3/package.json, I see a list of dependencies, one of which is Karma ^4.4.1. Github dependabot throws a warning about this package. (Here's relevant documentation: https://snyk.io/vuln/npm:karma@4.4.1)

But when I look at the 'package.json' file in your repo, I don't see Karma listed at all (https://github.com/glin/reactable/blob/0431e1c2de3250b054fc3bc281caf74359f2a68d/package.json).

Any idea what might be going on here? Perhaps you'd advise against saving tables as standalone html objects?

Any help would be much appreciated!

Chris

[glin]

Hi, core-js comes a dependency via the reactR package (reactR::html_dependency_corejs()), and is used to support old browsers like IE 11 and older versions of the RStudio IDE Viewer.

Karma is a test runner library, so I highly doubt core-js includes any part of Karma in its distributed JavaScript files. It's listed under devDependencies, which typically means it's a development-only dependency (although there's no 100% way to confirm without inspecting the distributed JavaScript): https://github.com/zloirock/core-js/blob/f96b8d8afaebda5f49ac213627218f841c8692b4/package.json#L10. But at least Snyk itself does not report any vulnerability with core-js 2.5.3: https://snyk.io/test/npm/core-js/2.5.3

I think this is a false positive, but if that's still an issue, you do have a few options:

• Use htmltools::suppressDependencies("core-js") to forcefully exclude the core-js dependency. You can put this anywhere in your HTML output, then confirm that core-js no longer appears in the final HTML. If you need to support IE 11 still, you can manually include a newer version of core-js.

  
  library(reactable)

my_table <- reactable(iris)

html <- htmltools::tagList( htmltools::suppressDependencies("core-js"), my_table )

htmltools::save_html(html, "table.html")

- Ask https://github.com/react-R/reactR to update the version of core-js, which may have updated dependency versions and get by the false positive checks

reactable will probably stop including core-js by default soon-ish because IE 11 is EOL and recent RStudio versions no longer require it.

[jonesworks]

Thanks for your help!