swagger-node icon indicating copy to clipboard operation
swagger-node copied to clipboard
verified publisher icon swagger-api

Move mocha to devdependencies

Open DeeDeeG opened this issue 6 years ago • 2 comments

mocha is a testing framework, so it shouldn't be needed outside of devdependencies.

Having fewer dependencies obviously pulls in less dependencies, for those who use swagger in their project. That makes for a lighter node_modules folder, less things to keep up-to-date to satisfy npm audit and yarn audit, etc...

I hope this is simple and easy-to-review enough to be included in a maintenance release?

DeeDeeG avatar Oct 15 '19 18:10 DeeDeeG

This would fix both remaining security audit issues (actually just the ones which can be fixed only by touching package.json), when someone depends on the swagger package from their own project.

Since master of this repo is very up-to-date security-wise, vs the latest 0.7.5 release, a maintenance release would be greatly appreciated. (Otherwise, folks like myself may have to depend on swagger from git, or may have depend on forks, etc.)

DeeDeeG avatar Oct 15 '19 18:10 DeeDeeG

See also #565 that simply updates mocha to a non-vulnerable version.

I would personally see merging both PRs as a great idea. Happy to rebase this PR over that one if it gets merged first.

DeeDeeG avatar Oct 15 '19 19:10 DeeDeeG