You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2021/09/11 18:57:14 UTC
[GitHub] [cordova-lib] breautek opened a new pull request #879: chore: package-lock update
breautek opened a new pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879
<!--
Please make sure the checklist boxes are all checked before submitting the PR. The checklist is intended as a quick reference, for complete details please see our Contributor Guidelines:
http://cordova.apache.org/contribute/contribute_guidelines.html
Thanks!
-->
### Platforms affected
### Motivation and Context
<!-- Why is this change required? What problem does it solve? -->
<!-- If it fixes an open issue, please link to the issue here. -->
Resolves ~9 sub-dependency vulnerabilities
### Description
<!-- Describe your changes in detail -->
### Testing
<!-- Please describe in detail how you tested your changes. -->
### Checklist
- [ ] I've run the tests to see all new and existing tests pass
- [ ] I added automated test coverage as appropriate for this change
- [ ] Commit is prefixed with `(platform)` if this change only applies to one platform (e.g. `(android)`)
- [ ] If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct [keyword to close issues using keywords](https://help.github.com/articles/closing-issues-using-keywords/))
- [ ] I've updated the documentation if necessary
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek merged pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek merged pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917484880
@NiklasMerz do you think there would be pushback if we start adding .npmrc configs to our cordova repos to re-assert npm registry is npms official registry?
Would avoid mistakes like this in the future by having a project level npm config.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] purplecabbage commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
purplecabbage commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917675567
Okay, yeah that makes sense.
Let's commit 'em
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917654419
Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install.
Not to be confused when users are using this package as a library, in which case their root package-lock is used.
From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
This file is intended to be committed into source repositories, and serves various purposes:
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
Facilitate greater visibility of tree changes through readable source control diffs.
Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] purplecabbage commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
purplecabbage commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917664769
This sums up what I think ...
Apps yes, libs no
https://github.com/sindresorhus/ama/issues/479#issuecomment-310661514
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek edited a comment on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek edited a comment on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917654419
Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install.
Not to be confused when users are using this package as a library, in which case their root package-lock is used.
From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
>This file is intended to be committed into source repositories, and serves various purposes:
>
>Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
>
>Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
>
>Facilitate greater visibility of tree changes through readable source control diffs.
>
>Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
>
>As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917483860
> > Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
>
> Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?
Npm will still work with a message that "it will try its best".
But not really sure what that means exactly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] codecov-commenter edited a comment on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
codecov-commenter edited a comment on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917465112
# [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#879](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (96309ed) into [master](https://codecov.io/gh/apache/cordova-lib/commit/dd872f044211592b11c17d23d56cd17192e4b51f?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (dd872f0) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## master #879 +/- ##
=======================================
Coverage 91.13% 91.13%
=======================================
Files 45 45
Lines 2053 2053
=======================================
Hits 1871 1871
Misses 182 182
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [dd872f0...96309ed](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917674737
There was a consensus back in 2018 via https://github.com/apache/cordova/issues/4#issuecomment-420728477 to add package-locks, which is why variety of our packages have package-locks.
If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus.
However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via `.npmrc` to disable package locks so they won't be generated in the first place but this also have a few consequences:
1. node_modules are not automatically pruned if package-locks are disabled. They can be manually pruned via `npm prune`.
2. NPM installs will be slower (however not sure how significant since most cordova repos are fairly small anyway)
3. npm ci command requires package-lock or shrinkwrap, so CI workflows may have to be updated accordingly to use `npm install` instead.
4. npm audit I believe also requires package-lock or shrinkwrap
Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] codecov-commenter commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917465112
# [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#879](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (f09df85) into [master](https://codecov.io/gh/apache/cordova-lib/commit/dd872f044211592b11c17d23d56cd17192e4b51f?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (dd872f0) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## master #879 +/- ##
=======================================
Coverage 91.13% 91.13%
=======================================
Files 45 45
Lines 2053 2053
=======================================
Hits 1871 1871
Misses 182 182
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [dd872f0...f09df85](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] dpogue commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
dpogue commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917483098
> Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917517856
Set my registry back to `registry.npmjs.org` and regenerated the package-lock. This PR is rebased for the correction.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] breautek commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
breautek commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917483712
> I just checked package.json again and found out all URLs point to a totalpave registry: `https://registry.totalpave.com`
>
> @breautek Please rebuild package-lock.json again with the NPM registry setup.
>
> Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Argh! Oops!
That's work stuff bleeding in... ill fix it when i get home
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] codecov-commenter edited a comment on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
codecov-commenter edited a comment on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917465112
# [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#879](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (f09df85) into [master](https://codecov.io/gh/apache/cordova-lib/commit/dd872f044211592b11c17d23d56cd17192e4b51f?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (dd872f0) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## master #879 +/- ##
=======================================
Coverage 91.13% 91.13%
=======================================
Files 45 45
Lines 2053 2053
=======================================
Hits 1871 1871
Misses 182 182
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [dd872f0...f09df85](https://codecov.io/gh/apache/cordova-lib/pull/879?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
[GitHub] [cordova-lib] purplecabbage commented on pull request #879: chore: package-lock update
Posted by GitBox <gi...@apache.org>.
purplecabbage commented on pull request #879:
URL: https://github.com/apache/cordova-lib/pull/879#issuecomment-917649412
Mostly we should not be committing package-lock, except for the cli itself ... am I missing something?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org