[ Security ] #2777
Comments
|
I don't think there's anything I'm going to do about this -- I trust antfu by proxy as he's a friend of a friend, and if he is adding additional libraries which may eventually lead to being able to drop the current massive wasm blob that is oniguruma... well, that seems like an overall win for security! It's probably worth mentioning that TypeDoc was one of the first adopters of Shiki, ~4 years ago when the project started (yes, it's older than that on npm, but the Shiki project that we know today is only 4 years old), adding it as a dependency of TypeDoc. I believe it had <10k downloads/week at that point. If you're concerned about single-user maintained projects, well, I'm pretty sure both Shiki and TypeDoc qualify. antfu has done almost all of the work for Shiki, and I have effectively been the sole maintainer of TypeDoc for the past 5 years. |
Please see: shikijs/shiki#843
TL;DR -- the latest update to Shikijs includes some new dependencies that are not used much and also have the same single maintainer. This may introduce dependency risk as this is such a high used library
The text was updated successfully, but these errors were encountered: