Open zeusdeux opened 2 years ago
I'm pretty sure it belongs there. Jest is a part of the final build and runtime. It's abstracted away in the tsdx test
script.
Fair. Do I understand correctly that in this case all tsdx
users are then stuck with an open vulnerability until tsdx upgrades jest?
I've managed to get past it with yarn resolutions but for the most part yes. Whether or not TSDX will be maintained going forward is also an open question.
Yupp, that's my worry as well. I think it's time to rip this out as a dependency from our projects.
Since there's no template for questions, opening this as a feature request.
Current Behavior
jest is added a dependency which means all consumers of tsdx install it and thus get security alerts for test tooling used for tsdx development.
Desired Behavior
Only packages used by jest during runtime are added to dependencies so that consumers of tsdx are not impacted by security issues lying in tsdx dev tooling.
Suggested Solution
Only packages used by jest during runtime are added to dependencies.
Who does this impact? Who is this for?
All consumers of tsdx
Additional context
Case and point is the
node-notifier
CVE which has been patched within tsdx using yarn's resolutions but leaves all other package manager users out in the cold.