react-native-community/cli is added as dependency in react-native instead of dev-dependency

[Vishalsh]

Introduction

react native cli packages are added as dependencies in react-native instead of dev dependencies.

Details

From the react-native package.json, We got to know that three cli packages:

@react-native-community/cli, @react-native-community/cli-platform-android, @react-native-community/cli-platform-ios

are added as dependencies instead of dev dependencies. Our understanding is that the packages under dependencies object in package.json are shipped in the release artifact also. Is that correct ? If yes, what is the reason of keeping cli in the release build ?

Our Project Impact

There is a security vulnerability related to xmldom/0.5.0 used in @react-native-community/cli-platform-ios/4.13.0 in [email protected] . We want to understand that if we release the app with the vulnerability, will it impact the app security ?

Discussion points

• are all dependencies shipped with the app in the release build ?
• Why is cli packages added under dependencies instead of dev dependencies ?

[radko93]

RN wants to make RN CLI available for devs (clients). How package management in node projects works is that devDependencies are not shipped to clients. So developers would have to put RN CLI in their projects dev dependencies themselves to access CLI APIs.

So is the CLI shipped to the bundle: most probably yes. Do we have to worry: no, because unless you use RN CLI methods to parse XMLs you have nothing to worry about. Because there's no way for someone to exploit this vulnerability from your app.