Closed aedryan closed 1 year ago
If you put something in devDependencies it won't be installed when someone just does npm install tree-sitter
.
The way prebuild
works is you publish an empty package to npm and upload a bunch of binary files to GitHub Releases associated with that same release. prebuilt-install
is needed to download the correct binary from GitHub Releases, it essentially replaces npm install tree-sitter
with "download this binary file from GitHub".
Got it, I did not know that about prebuild-install
, it's a shame that it can't be moved to dev deps in order to avoid raising false positives in vulnerability scanners. I see that tree sitter is a major version behind prebuild-install
where at least the vulnerability path described above are not relevant. Is an upgrade of prebuild-install
on the roadmap for this package?
Since
prebuild-install
is only used during the package install phase, it should be moved to the package.json's dev dependencies. Presently the version ofprebuild-install
set in this package winds up using an outdated version ofansi-regex
which has a DOS vulnerability. Security scanners will pick this up as a vulnerability that would otherwise be ignored if it were properly tagged as a dev dependency instead of a dependency.Path to vulnerability:
https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908