gax-nodejs
gax-nodejs copied to clipboard
googleapis
Option to eliminate transitive production dependency on jsdoc
Hi, our security tools are complaining about jsdoc; so, I am trying to eliminate our transitive dependency on jsdoc.
$ npm ls --omit=dev jsdoc
<app>
└─┬ @google-cloud/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
I can effectively accomplish that with a postinstall script that removes jsdoc from node_modules, since our app doesn't use any of the features that require jsdoc. However, I have been asked to query about the possibility of eliminating jsdoc as a prod dependency.
Could it make sense for google-gax to provide multiple packages, including one that is jsdoc-free, so that dependent modules could have only a dev dependency on jsdoc?
Thanks.
Do security tools actually complain about the latest version of jsdoc? The taffydb dependency was dropped from jsdoc some time ago. Can you post some details about what the tools say?
Having that said, we have a plan to move the code that needs jsdoc to a separate package that would be only used as a devDependency for Cloud libraries, but it's obviously a breaking change and won't happen too soon.
The tool complaining is Prisma by Palo Alto Networks. I don't know if it complains about the latest version of jsdoc (I don't have access to it myself). I can ask. I have been told that we cannot post the details about what the tools say because of licensing issues, but in short, "the concern is that as html is generated from source code it may [contain] script and/or create XSS issue."
I see. We are currently working on splitting this package into two, and jsdoc won't be a part of the dependency chain of the runtime library. Right now, jsdoc is there because it's used by pbts tool (a third party, part of protobufjs-cli) to generate .d.ts typings, so no HTML is involved anywhere, but I understand it's unlikely that you could convince a tool.
Please wait for the split which we expect might happen soon.