Snyk as devDependency?
justlep opened this issue · 2 comments
justlep commented
Hello,
it's great that marpet's functionality relies on just 2 packages (lodash+joi).
However, snyk as a non-dev dependency pulls over 300 additional packages into any project using marpat, which is quite a no-go.
Have you considered using snyk as a devDependency instead?
Cheers
Luidog commented
@justlep I agree with you. I included snyk as a production dependency so that it could patch any vulnerabilities on install. However, I have found that including snyk actually adds vulnerabilities through their dependencies. I will attempt to remove snyk as a production dependency in the next release.