jestjs/jest

[Bug]: Dependency with outdated Windows executables

hyandell opened this issue · 5 comments

hyandell commented

Version

Latest

Steps to reproduce

Eyeball review.

Per https://github.com/jestjs/jest/blob/main/package.json#L67 Jest depends on node-notifier. In the node-notifier package, it contains vendor/ directories for snoreToast (LGPL-3.0) and notifu (BSD-3-Clause), each with previously compiled .exe files, presumably from those packages.

I don't know the OpenJS Foundation's licensing compatibility list, so I don't know if reliance on LGPL-3.0 is considered to be a concern. I did notice that the snoreToast executable was from 2019 and isn't updated to a 2023 release; and that both node-notifier and snoreToast seem to have been very quiet for the last year or so activity-wise. With greater attention on supply chain security, I thought I'd flag this.

Expected behavior

Just a heads up for Jest's review.

Actual behavior

:)

Additional context

No response

Environment

n/a
mrazauskas commented

The link you provided is pointing to a dev dependency. This is not Jest dependency, so it is incorrect to say that "Jest depends on node-notifier".

In this case node-notifier is simply used for testing the code base. More precisely, the node-notifier package is used to test the notify configuration option.

hyandell commented

Totally understood that it's not a runtime dependency, and that we're into semantics where I would consider any runtime, test, dev dependencies to all be dependencies [especially if they have any opportunity to affect the contents of the release bytes].

All good if this isn't a concern for Jest, I'm not here to push for any change that isn't wanted :)

SimenB commented

Yeah, we don't ship it (it's an optional peer (

jest/packages/jest-reporters/package.json

Line 60 in 0d222c1

"node-notifier": {
)), so I think we're alright. But just to be safe, let's see if @bensternthal can tell us 😃

Also, assuming since we don't have it as a dep ourselves it's fine, would it have been an issue? I really don't know how these things work 😅

hyandell commented

With much embarrassment, I think at this stage this is a case of my inexperience with npm (I've more of a Maven background) and not identifying that I was looking at an older version of Jest in the dependency tree prior to your moving to peerDependencies. I think you've already fixed this in the later versions :/

[I think this can be closed, but leaving open so a Jest maintainer can have closure and, y'know, call me a fool etc :) ]

github-actions commented

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.