UNPKG

@nodesecure/flags

Version:
54 lines (53 loc) 1.89 kB
<div> <h1>🌲 hasIndirectDependencies</h1> <p> The package has indirect (or also called transitive) dependencies. This means that the child dependencies of the package also have dependencies. </p> <br /> <a target="_blank" rel="noopener noreferrer" href="https://i.imgur.com/GQBUwbp.png" ><img src="https://i.imgur.com/GQBUwbp.png" width="300" data-canonical-src="https://i.imgur.com/GQBUwbp.png" style="max-width:100%;" /></a> <br /><br /> <p> In the following example <b>accepts</b> is flagged 🌲 because <b>mime-types</b> has a <b>mime-db</b> dependency which mean that the package is an indirect dependency of <b>accepts</b>. </p> <br /> <p> Indirect dependencies are dangerous for many reasons and you may found useful informations in these articles / study: </p> <br /> <ul> <li> <a href="https://snyk.io/blog/78-of-vulnerabilities-are-found-in-indirect-dependencies-making-remediation-complex/" rel="nofollow" >78% of vulnerabilities are found in indirect dependencies, making remediation complex</a > </li> <li> <a href="https://arxiv.org/pdf/1902.09217.pdf" rel="nofollow" >Small World with High Risks: A Study of Security Threats in the npm Ecosystem</a > </li> <li> <a href="https://snyk.io/blog/angular-vs-react-the-security-risk-of-indirect-dependencies/" rel="nofollow" >Angular vs React: the security risk of indirect dependencies</a > </li> </ul> </div>