Skip to content
This repository has been archived by the owner on Sep 14, 2022. It is now read-only.

Move mocha to devdependencies #591

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DeeDeeG
Copy link

@DeeDeeG DeeDeeG commented Oct 15, 2019

mocha is a testing framework, so it shouldn't be needed outside of devdependencies.

Having fewer dependencies obviously pulls in less dependencies, for those who use swagger in their project. That makes for a lighter node_modules folder, less things to keep up-to-date to satisfy npm audit and yarn audit, etc...

I hope this is simple and easy-to-review enough to be included in a maintenance release?

It's vulnerable, per `npm audit`, so we don't want it in production.

Inspired by GitHub user makuro's commit @ 9045d25.

makuro@9045d25
@DeeDeeG
Copy link
Author

DeeDeeG commented Oct 15, 2019

This would fix both remaining security audit issues (actually just the ones which can be fixed only by touching package.json), when someone depends on the swagger package from their own project.

Since master of this repo is very up-to-date security-wise, vs the latest 0.7.5 release, a maintenance release would be greatly appreciated. (Otherwise, folks like myself may have to depend on swagger from git, or may have depend on forks, etc.)

@DeeDeeG
Copy link
Author

DeeDeeG commented Oct 15, 2019

See also #565 that simply updates mocha to a non-vulnerable version.

I would personally see merging both PRs as a great idea. Happy to rebase this PR over that one if it gets merged first.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant