Jens-G opened a new pull request, #3509: URL: https://github.com/apache/thrift/pull/3509
## Summary - `[email protected]` hard-depends on `jsdoc ^3.6.x` as a direct (non-peer) dependency, meaning upgrading the top-level `jsdoc` entry has no effect: npm installs jsdoc 3.x inside grunt-jsdoc's own subtree and taffydb remains in the tree. - The `grunt-jsdoc` task was **never loaded** in `Gruntfile.js` (no `grunt.loadNpmTasks('grunt-jsdoc')` call, no `jsdoc` config block), and `lib/ts` has no own source files to document — both packages have been dead dependencies. - Remove `grunt-jsdoc` and `jsdoc` from `devDependencies`, drop the unreachable `grunt jsdoc` body from the `doc:` target in `Makefile.am`, and regenerate `package-lock.json`. - Result: **taffydb** (Dependabot alert #61, abandoned/HIGH), its **lodash** transitive, and **grunt-jsdoc** are fully eliminated from the dependency tree. ## Relation to THRIFT-6016 THRIFT-6016 (#3505) moved `jsdoc` to `devDependencies` to reclassify taffydb as dev-only. This PR completes the job by removing the source of taffydb entirely. ## Test plan - [ ] `npm install --omit=dev` in `lib/ts` produces no jsdoc, grunt-jsdoc, or taffydb entries - [ ] `npm install` followed by `npm audit` shows no taffydb or grunt-jsdoc findings - [ ] `npx grunt` (default test task) still runs cleanly — jsdoc was never part of it - [ ] Confirm Dependabot alert #61 (taffydb) is resolved after merge 🤖 Generated with [Claude Code](https://claude.ai/claude-code) Co-Authored-By: Claude Sonnet 4.6 <[email protected]> Generated-by: Claude Sonnet 4.6 <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
