You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2022/04/06 19:48:32 UTC

[GitHub] [openwhisk-wskdebug] alexkli commented on pull request #96: fix: swap isomorphic-fetch for node-fetch for security issue

alexkli commented on PR #96:
URL: https://github.com/apache/openwhisk-wskdebug/pull/96#issuecomment-1090707082

   @shazron Thanks for digging deeper on this!
   
   > npm 7 by default will install peer dependencies
   
   That is a problem. ngrok must NOT be installed by default as it conflicts with the Apache licensing of openwhisk. That's why it was made a peer dependency - so that it does not get installed by default and that a developer must actively choose to install it themselves. While still working with the nodejs code and linters (that otherwise complain on missing require() dependencies).
   
   Now if npm 7 has changed the peer behavior, we need to find a different way where a simple `npm install` would not install it. I think this is probably best to be fixed in a separate PR that we need to come up with and merge before this one (it essentially blocks any other changes to this repo).
   
   Any smart ideas on how to achieve that? cc @rabbah 
   
   Sorry that you run into this with your change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@openwhisk.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org