emotion-js/emotion

Development dependency included as project dependency

Piemontez opened this issue · 2 comments

https://github.com/emotion-js/emotion/blob/main/packages/babel-plugin/package.json

Development dependency included as project dependency:

The "@babel/helper-module-imports" library was included in the @emotion/babel-plugin module as a dependency instead of "devDependencies"

This incorrect dependency adds another buggy library (debug lib) to the final project.
image

Please move this dependency to the correct location "devDependencies".As long as it is incorrect, security analysis tools have marked this lib as a security flaw.

It is an actual dependency, see here:

import { addDefault, addNamed } from '@babel/helper-module-imports'

The fact that @emotion/react depends on @emotion/babel-plugin is a little bit questionable but changing that could be considered a breaking change right now.

This incorrect dependency adds another buggy library (debug lib) to the final project.

This is a really popular library, an industry standard of sorts. If there is an issue with it, I feel like it should be raised in that project.

Perhaps it is the case that the adjustment will be made in the @babel/traverse library or @babel/helper-module-imports.

Makes more sense.
Thanks Andarist!