Jens-G opened a new pull request, #3505: URL: https://github.com/apache/thrift/pull/3505
## Summary - `jsdoc` is a documentation generator and must not be a runtime dependency of the Thrift TypeScript library. - Having it under `dependencies` caused `taffydb` (abandoned, HIGH) and `lodash` to be classified as production transitive dependencies, inflating the vulnerability surface of the published npm package. - Moved `jsdoc` to `devDependencies` and regenerated `package-lock.json`; `taffydb` and `lodash` are now correctly classified as dev-only. ## Test plan - [ ] Verify `npm install --omit=dev` in `lib/ts` no longer installs jsdoc, taffydb, or lodash. - [ ] Verify `npm install` (with devDependencies) still succeeds and doc generation via `grunt jsdoc` still works. - [ ] Confirm Dependabot alerts #61 (taffydb) and #229 (lodash HIGH) are resolved or reclassified after merge. ## Related - THRIFT-6017: Upgrade jsdoc 3.6 → 4.x (eliminates taffydb entirely) - THRIFT-6018: Remove phantom/phantomjs-prebuilt from lib/ts - THRIFT-6019: Replace html-validator-cli in root package - THRIFT-6020: Address remaining transitive npm vulnerabilities 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
