Remove uri-js from dependencies

[zekth]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

uri-js is creating vulnerabilities issues in downstream repositories: ajv-validator/ajv#1978

We use it to test feature parity. As this package has been abandoned what we can do is installing it in CI and test against it and not requiring it within the package.json

[Uzlopak]

As I said ibn the other issue: uri-js is a dev dependency. Why should it be resulting in a warning like that?

[Uzlopak]

I think the issue is in ajv, as it still uses uri-js and not our implementation. We dont need to change anything imho

[zekth]

As I said ibn the other issue: uri-js is a dev dependency. Why should it be resulting in a warning like that?

Lot of security scanners are considering dev-dependencies same as dependencies because some are used to transpile code.

[mcollina]

I think you might have some issue with configuring your security scanners, usually they don't pick up 3rd party devdependencies.

[zekth]

Working with severals over the years; some are brain dead and don't allow this. As also some security teams don't even want to care about this neither.

[climba03003]

Would you consider https://www.npmjs.com/package/uri-js-replace as a replacement for compatible test?

[zekth]

if it's maintained and doesn't have CVEs yes.