devanfarrell
commented
2 years ago I'm pretty sure it belongs there. Jest is a part of the final build and runtime. It's abstracted away in the tsdx test script.
Open zeusdeux opened 2 years ago
devanfarrell
commented
2 years ago I'm pretty sure it belongs there. Jest is a part of the final build and runtime. It's abstracted away in the tsdx test script.
zeusdeux
commented
2 years ago Fair. Do I understand correctly that in this case all tsdx users are then stuck with an open vulnerability until tsdx upgrades jest?
devanfarrell
commented
2 years ago I've managed to get past it with yarn resolutions but for the most part yes. Whether or not TSDX will be maintained going forward is also an open question.
zeusdeux
commented
2 years ago Yupp, that's my worry as well. I think it's time to rip this out as a dependency from our projects.
Since there's no template for questions, opening this as a feature request.
Current Behavior
jest is added a dependency which means all consumers of tsdx install it and thus get security alerts for test tooling used for tsdx development.
Desired Behavior
Only packages used by jest during runtime are added to dependencies so that consumers of tsdx are not impacted by security issues lying in tsdx dev tooling.
Suggested Solution
Only packages used by jest during runtime are added to dependencies.
Who does this impact? Who is this for?
All consumers of tsdx
Additional context
Case and point is the
node-notifierCVE which has been patched within tsdx using yarn's resolutions but leaves all other package manager users out in the cold.