Skip to content

Remove danfojs-node; inline the small CSV piece we used#16

Merged
jhamon merged 1 commit into
mainfrom
deps/remove-danfojs
Jul 9, 2026
Merged

Remove danfojs-node; inline the small CSV piece we used#16
jhamon merged 1 commit into
mainfrom
deps/remove-danfojs

Conversation

@jhamon

@jhamon jhamon commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Root cause #1 of 3

danfojs-node was used only to read a CSV into rows and drop incomplete ones, yet it dragged in @tensorflow/tfjs-node, xlsx, and the deprecated request package — the single largest source of security alerts in this repo. Several of those alerts have no published npm fix (xlsx moved off npm; request is unmaintained), so they can't be resolved with version overrides — the dependency has to go.

Following the pattern of #6 (inlining langchain's Document), this PR inlines the tiny piece we actually used and drops the dependency.

Changes

  • Add src/utils/csv.ts — a compact RFC-4180 CSV parser (handles quoted fields, embedded commas/newlines, escaped "" quotes, CRLF) plus a dropEmptyRows() helper mirroring danfojs' dropNa().
  • csvLoader.ts returns CSVRow[] instead of a danfojs DataFrame.
  • index.ts operates on row arrays (slice) instead of DataFrame head/tail/toJSON/dropNa.
  • Delete src/utils/dataLoader.ts — dead code (nothing imported it) and the only consumer of json2csv and cross-fetch.
  • package.json — drop danfojs-node, json2csv, cross-fetch, @types/json2csv.
  • Add tests/csv.test.ts covering the parser's edge cases.

Impact

Removes danfojs-node, @tensorflow/tfjs-node, xlsx, and request from the dependency tree entirely (including the unfixable xlsx/request alerts). npm audit: 46 → 37.

Verification

  • npm run build, tsc --noEmit, npm test (23 pass, 9 new), npm run lint — all green.
  • End-to-end run of splitFile → loadCSVFile → dropEmptyRows on a CSV containing quoted commas, an embedded newline (split across physical lines by fileSplitter, then reassembled), a missing column, and escaped quotes — all parsed/filtered correctly.

Context

First of three root-cause PRs replacing the closed overrides PR (#15). Follow-ups: migrate @xenova/transformers@huggingface/transformers (protobufjs/onnxruntime cluster), and upgrade vitest v2 → v3 (dev tooling cluster + form-data/lodash via jsdom).

🤖 Generated with Claude Code

danfojs-node was used only to read a CSV into rows and drop incomplete
ones, yet it dragged in @tensorflow/tfjs-node, xlsx, and the deprecated
request package — the single largest source of security alerts, several
of which have no published npm fix (xlsx moved off npm; request is
unmaintained). Following the pattern of #6 (inlining langchain's
Document), we inline that tiny piece and drop the dependency.

Changes:
- Add src/utils/csv.ts: a compact RFC-4180 CSV parser (handles quoted
  fields, embedded commas/newlines, escaped quotes, CRLF) plus a
  dropEmptyRows() helper mirroring danfojs' dropNa().
- csvLoader.ts returns CSVRow[] instead of a danfojs DataFrame.
- index.ts operates on row arrays (slice) instead of DataFrame
  head/tail/toJSON/dropNa.
- Delete src/utils/dataLoader.ts: dead code (nothing imported it) and
  the only consumer of json2csv and cross-fetch.
- Drop danfojs-node, json2csv, cross-fetch, and @types/json2csv from
  package.json.
- Add tests/csv.test.ts covering the parser's edge cases.

Removes danfojs-node, @tensorflow/tfjs-node, xlsx, and request from the
dependency tree entirely. npm audit: 46 -> 37 vulnerabilities.

Verified: npm run build, tsc --noEmit, npm test (23 pass), npm run lint
all green, plus an end-to-end run of splitFile -> loadCSVFile ->
dropEmptyRows on a CSV containing quoted commas, an embedded newline,
and escaped quotes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon jhamon merged commit ef0a5f1 into main Jul 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant