I found out that react-view was added as dependency in #3681, but this change is adding a lot of dependencies.
I noticed this after running npm audit on my project, and by just installing @elastic/eui, a custom scoped version of prettier is being installed on my machine, which itself includes number of dependencies.
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @elastic/eui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @elastic/eui > react-view > @miksu/prettier > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
As quick search on this repo shows that react-view is only being used for playground, I think moving it to devDependencies should be safe.
I found out that
react-viewwas added as dependency in #3681, but this change is adding a lot of dependencies.I noticed this after running
npm auditon my project, and by just installing@elastic/eui, a custom scoped version of prettier is being installed on my machine, which itself includes number of dependencies.As quick search on this repo shows that
react-viewis only being used for playground, I think moving it to devDependencies should be safe.