Bump dependency escodegen to ^2.0.0
Upgrade the dependency escodegen
from ^1.12.0 to ^2.0.0. This is a major
version bump because the minimum Node.js version changed from 4.0 to 6.0
which doesn't affect this package because 6.0 is already the minimum
version required by some other dependencies (e.g. get-caller-file).
This change is motivated by a vulnerability reported in word-wrap, which
is introduced in the dependency tree through escodegen
and then
optionator
. The package optionator
has resolved this problem starting in
v0.9.2. This upgrade path will likely, if ever, only become available in
the escodegen
v2.0.0 release line (it already is on its development
head).
For more information see: https://github.com/estools/escodegen/issues/456
Also, while working on this I noticed that it actually looks like escodegen
is unused and could be removed as a dependency (along with @types/escodegen
).
I opted to submit this patch first because it is more clearly correct - I'm not
necessarily familiar enough with the internals of this project to say if a
dependency is actually unused.
For completeness, I ran both depcheck
and unimported
against this project and found (after manual evaluation) the following dependencies appear to be unused:
-
escodegen
(and@types/escodegen
) -
esprima
(and@types/esprima
) -
estraverse
(and `@types/estraverse) @types/estree
inversify