The library explicitly includes shadow-cljs as a library dependency, which leads to a lot of unnecessary dependencies being exported to consuming applications.
Build time deps should as these should ideally not be exposed to consuming apps.
Relatedly the flexmark-test-util dependency pulls in junit which is another such dep.
Why is this important?
These deps are introducing libraries to classpaths which have known CVE's against them. In almost all cases these CVEs will not be used or exploitable; they do however cause false positives which need to be handled by automated tools such as nvd-clojure.
kiranshila
commented
2 years ago
The library explicitly includes shadow-cljs as a library dependency, which leads to a lot of unnecessary dependencies being exported to consuming applications.
Build time deps should as these should ideally not be exposed to consuming apps.
Relatedly the
flexmark-test-utildependency pulls injunitwhich is another such dep.Why is this important?
These deps are introducing libraries to classpaths which have known CVE's against them. In almost all cases these CVEs will not be used or exploitable; they do however cause false positives which need to be handled by automated tools such as nvd-clojure.