Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to eliminate transitive production dependency on jsdoc #1429

Open
steve-stogner opened this issue Feb 28, 2023 · 3 comments
Open

Option to eliminate transitive production dependency on jsdoc #1429

steve-stogner opened this issue Feb 28, 2023 · 3 comments
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue.

Comments

@steve-stogner
Copy link

steve-stogner commented Feb 28, 2023
edited

Hi, our security tools are complaining about jsdoc; so, I am trying to eliminate our transitive dependency on jsdoc.

$ npm ls --omit=dev jsdoc
<app>
└─┬ @google-cloud/secret-manager@4.2.0
  └─┬ google-gax@3.5.3
    └─┬ protobufjs-cli@1.1.0
      └── jsdoc@4.0.0

I can effectively accomplish that with a postinstall script that removes jsdoc from node_modules, since our app doesn't use any of the features that require jsdoc. However, I have been asked to query about the possibility of eliminating jsdoc as a prod dependency.

Could it make sense for google-gax to provide multiple packages, including one that is jsdoc-free, so that dependent modules could have only a dev dependency on jsdoc?

Thanks.
@steve-stogner steve-stogner added priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue. labels Feb 28, 2023
@alexander-fenster
Copy link
Contributor

Do security tools actually complain about the latest version of jsdoc? The taffydb dependency was dropped from jsdoc some time ago. Can you post some details about what the tools say?

Having that said, we have a plan to move the code that needs jsdoc to a separate package that would be only used as a devDependency for Cloud libraries, but it's obviously a breaking change and won't happen too soon.

@steve-stogner
Copy link
Author

The tool complaining is Prisma by Palo Alto Networks. I don't know if it complains about the latest version of jsdoc (I don't have access to it myself). I can ask. I have been told that we cannot post the details about what the tools say because of licensing issues, but in short, "the concern is that as html is generated from source code it may [contain] script and/or create XSS issue."

@alexander-fenster
Copy link
Contributor

I see. We are currently working on splitting this package into two, and jsdoc won't be a part of the dependency chain of the runtime library. Right now, jsdoc is there because it's used by pbts tool (a third party, part of protobufjs-cli) to generate .d.ts typings, so no HTML is involved anywhere, but I understand it's unlikely that you could convince a tool.

Please wait for the split which we expect might happen soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexander-fenster @steve-stogner