search

jsx-eslint / eslint-plugin-jsx-a11y

Static AST checker for a11y rules on JSX elements.
MIT License
3.38k stars 637 forks source link

Snyk: MPL 2.0 license vulnerability in axe-core #973

Closed vjr12 closed 7 months ago

vjr12 commented 7 months ago

When our application was run through Snyk recently, We found MPL 2.0 license vulnerability. Package Manager: npm Module: axe-core Introduced through: react-scripts@5.0.1 › eslint-config-react-app@7.0.1 › eslint-plugin-jsx-a11y@6.7.1 › axe-core@4.7.0

I tried adding 

  "resolutions": {
    "eslint-plugin-jsx-a11y": "6.8.0"
  }

While the snyk issue is removed, when I run the application I am getting [eslint] Failed to load plugin 'jsx-a11y' declared in 'package.json » eslint-config-react-app': Cannot find module for many modules.

How do I fix this?

ljharb commented 7 months ago

Licenses aren’t a vulnerability, and you should be depending on this plugin with a ^

Either way, eslint is a dev dep that you’re not shipping with your app, so you shouldn’t care about the license.

ljharb commented 7 months ago

You did this by ignoring this nonissue.