Jens Geyer created THRIFT-6016:
----------------------------------
Summary: lib/ts: jsdoc incorrectly listed under dependencies
instead of devDependencies
Key: THRIFT-6016
URL: https://issues.apache.org/jira/browse/THRIFT-6016
Project: Thrift
Issue Type: Bug
Components: TypeScript - Library
Reporter: Jens Geyer
In lib/ts/package.json, jsdoc is listed under "dependencies" instead of
"devDependencies". jsdoc is a documentation generator and has no business being
a runtime dependency of the Thrift TypeScript library.
The practical consequence is that when npm resolves the package, jsdoc (and its
transitive dependencies, notably taffydb and lodash) are classified as
production dependencies. This is incorrect and causes Dependabot to report
taffydb (CVE-2019-10790, HIGH) and lodash (CVE-2026-4800, HIGH) as
vulnerabilities in the shipped library, not merely in dev tooling.
Fix: move jsdoc from "dependencies" to "devDependencies" in lib/ts/package.json.
Related: upgrading jsdoc from 3.6 to 4.x (see companion issue) will eliminate
the taffydb dependency entirely, since jsdoc 4.x no longer depends on taffydb.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
