Steps to reproduce
- Install flowbite-react@0.12.17 in a React app
- Run npm install
- Inspect node_modules/flowbite-react/package.json or the generated lockfile
Current behavior
flowbite-react still brings in these alias dependencies:
- tailwind-merge-v2: npm:tailwind-merge@2.6.1
- tailwind-merge-v3: npm:tailwind-merge@3.4.0
Both of these aliases are being flagged by GitHub Advanced Security as well as npmjs as having contained malware: GHSA-53q4-wj32-3vv9 and GHSA-3679-84c2-v5xm
Because the aliases are referenced directly in the published package code it causes dependency review tooling to flag them in downstream projects and mark the project as insecure. Another issue on this topic is #1665 user closed it.
Expected behavior
I’d expect the published package to avoid installing the aliased tailwind-merge-v2 / tailwind-merge-v3 packages, or at least provide a path for downstream consumers to avoid them.
Context
We use flowbite-react in a corporate GitHub environment with dependency review on PRs. These alias packages are being flagged by security policy, which blocks merges for downstream consumers even though we do not reference them directly in our app.
Steps to reproduce
Current behavior
flowbite-react still brings in these alias dependencies:
Both of these aliases are being flagged by GitHub Advanced Security as well as npmjs as having contained malware: GHSA-53q4-wj32-3vv9 and GHSA-3679-84c2-v5xm
Because the aliases are referenced directly in the published package code it causes dependency review tooling to flag them in downstream projects and mark the project as insecure. Another issue on this topic is #1665 user closed it.
Expected behavior
I’d expect the published package to avoid installing the aliased tailwind-merge-v2 / tailwind-merge-v3 packages, or at least provide a path for downstream consumers to avoid them.
Context
We use flowbite-react in a corporate GitHub environment with dependency review on PRs. These alias packages are being flagged by security policy, which blocks merges for downstream consumers even though we do not reference them directly in our app.