-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Dependency with outdated Windows executables #15086
Comments
The link you provided is pointing to a dev dependency. This is not Jest dependency, so it is incorrect to say that "Jest depends on node-notifier". In this case |
Totally understood that it's not a runtime dependency, and that we're into semantics where I would consider any runtime, test, dev dependencies to all be dependencies [especially if they have any opportunity to affect the contents of the release bytes]. All good if this isn't a concern for Jest, I'm not here to push for any change that isn't wanted :) |
Yeah, we don't ship it (it's an optional peer ( jest/packages/jest-reporters/package.json Line 60 in 0d222c1
Also, assuming since we don't have it as a dep ourselves it's fine, would it have been an issue? I really don't know how these things work 😅 |
With much embarrassment, I think at this stage this is a case of my inexperience with npm (I've more of a Maven background) and not identifying that I was looking at an older version of Jest in the dependency tree prior to your moving to peerDependencies. I think you've already fixed this in the later versions :/ [I think this can be closed, but leaving open so a Jest maintainer can have closure and, y'know, call me a fool etc :) ] |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Version
Latest
Steps to reproduce
Eyeball review.
Per https://github.com/jestjs/jest/blob/main/package.json#L67 Jest depends on node-notifier. In the node-notifier package, it contains vendor/ directories for snoreToast (LGPL-3.0) and notifu (BSD-3-Clause), each with previously compiled .exe files, presumably from those packages.
I don't know the OpenJS Foundation's licensing compatibility list, so I don't know if reliance on LGPL-3.0 is considered to be a concern. I did notice that the snoreToast executable was from 2019 and isn't updated to a 2023 release; and that both node-notifier and snoreToast seem to have been very quiet for the last year or so activity-wise. With greater attention on supply chain security, I thought I'd flag this.
Expected behavior
Just a heads up for Jest's review.
Actual behavior
:)
Additional context
No response
Environment
The text was updated successfully, but these errors were encountered: