You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Optional dependencies are mostly not very useful. Especially when a project is mainly developed on Windows. Sometimes it makes sense to set optional=false for a project. However, pnpm currently resolves the optional dependencies and adds them to the lockfile even if optional is set to false. As a consequence, pnpm audit will report vulnerabilities about optional dependencies even though they are not installed.
Changing the way the optional setting works might be not a good idea as it is a setting that may be declared globally. Instead, we may add a new option called ignoreOptionalDependencies that would have to be added to the pnpm field of the package.json file.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
pnpm
-
Optional dependencies are mostly not very useful. Especially when a project is mainly developed on Windows. Sometimes it makes sense to set
optional=falsefor a project. However, pnpm currently resolves the optional dependencies and adds them to the lockfile even ifoptionalis set tofalse. As a consequence,pnpm auditwill report vulnerabilities about optional dependencies even though they are not installed.Changing the way the optional setting works might be not a good idea as it is a setting that may be declared globally. Instead, we may add a new option called
ignoreOptionalDependenciesthat would have to be added to thepnpmfield of thepackage.jsonfile.Beta Was this translation helpful? Give feedback.
All reactions