[
https://issues.apache.org/jira/browse/THRIFT-6016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer reassigned THRIFT-6016:
----------------------------------
Assignee: Jens Geyer
> lib/ts: jsdoc incorrectly listed under dependencies instead of devDependencies
> ------------------------------------------------------------------------------
>
> Key: THRIFT-6016
> URL: https://issues.apache.org/jira/browse/THRIFT-6016
> Project: Thrift
> Issue Type: Bug
> Components: TypeScript - Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In lib/ts/package.json, jsdoc is listed under "dependencies" instead of
> "devDependencies". jsdoc is a documentation generator and has no business
> being a runtime dependency of the Thrift TypeScript library.
> The practical consequence is that when npm resolves the package, jsdoc (and
> its transitive dependencies, notably taffydb and lodash) are classified as
> production dependencies. This is incorrect and causes Dependabot to report
> taffydb (CVE-2019-10790, HIGH) and lodash (CVE-2026-4800, HIGH) as
> vulnerabilities in the shipped library, not merely in dev tooling.
> Fix: move jsdoc from "dependencies" to "devDependencies" in
> lib/ts/package.json.
> Related: upgrading jsdoc from 3.6 to 4.x (see companion issue) will eliminate
> the taffydb dependency entirely, since jsdoc 4.x no longer depends on taffydb.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
