[Bug]: Dependency with outdated Windows executables
hyandell opened this issue · 5 comments
Version
Latest
Steps to reproduce
Eyeball review.
Per https://github.com/jestjs/jest/blob/main/package.json#L67 Jest depends on node-notifier. In the node-notifier package, it contains vendor/ directories for snoreToast (LGPL-3.0) and notifu (BSD-3-Clause), each with previously compiled .exe files, presumably from those packages.
I don't know the OpenJS Foundation's licensing compatibility list, so I don't know if reliance on LGPL-3.0 is considered to be a concern. I did notice that the snoreToast executable was from 2019 and isn't updated to a 2023 release; and that both node-notifier and snoreToast seem to have been very quiet for the last year or so activity-wise. With greater attention on supply chain security, I thought I'd flag this.
Expected behavior
Just a heads up for Jest's review.
Actual behavior
:)
Additional context
No response
Environment
n/a
The link you provided is pointing to a dev dependency. This is not Jest dependency, so it is incorrect to say that "Jest depends on node-notifier".
In this case node-notifier
is simply used for testing the code base. More precisely, the node-notifier
package is used to test the notify
configuration option.
Totally understood that it's not a runtime dependency, and that we're into semantics where I would consider any runtime, test, dev dependencies to all be dependencies [especially if they have any opportunity to affect the contents of the release bytes].
All good if this isn't a concern for Jest, I'm not here to push for any change that isn't wanted :)
Yeah, we don't ship it (it's an optional peer (
jest/packages/jest-reporters/package.json
Line 60 in 0d222c1
Also, assuming since we don't have it as a dep ourselves it's fine, would it have been an issue? I really don't know how these things work 😅
With much embarrassment, I think at this stage this is a case of my inexperience with npm (I've more of a Maven background) and not identifying that I was looking at an older version of Jest in the dependency tree prior to your moving to peerDependencies. I think you've already fixed this in the later versions :/
[I think this can be closed, but leaving open so a Jest maintainer can have closure and, y'know, call me a fool etc :) ]
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.