Remove unused decompress dependency#2393
Conversation
|
There was a problem hiding this comment.
Pull request overview
Removes the unused decompress npm dependency (and related transitive packages/license entries) to address the referenced security advisory (OPS-4620) and reduce the dependency surface area in the OpenOps monorepo.
Changes:
- Removed
decompressand@types/decompressfrom rootpackage.json. - Updated
package-lock.jsonto dropdecompress@4.2.1and its transitive dependency tree (reclassifying some remaining packages as dev-only where applicable). - Pruned corresponding entries from
THIRD_PARTY_LICENSES.txtfor packages no longer included.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| THIRD_PARTY_LICENSES.txt | Removes license blocks for decompress and related transitive packages that are no longer included. |
| package.json | Drops decompress and @types/decompress from dependencies/devDependencies. |
| package-lock.json | Removes decompress@4.2.1 subtree and updates dependency metadata accordingly. |
Claude PR Review — #2393: Remove unused decompress dependencyAuthor: ravikiranvm | Base: VerdictSHIP — removes a genuinely unused dependency flagged by a security advisory; no reliability concerns. SummaryThis PR drops the Verification performed
FindingsNone. LGTM. Testing gapsNone applicable — pure dependency removal with no source changes. CI's |



Fixes OPS-4620.
Additional Notes
Removing this unused dependancy due to security warning.
See GHSA-mp2f-45pm-3cg9