Skip to content

Dependabot alerts package override#856

Merged
tyaginidhi merged 3 commits into
mainfrom
users/nityagi/DepndabotAlertsPackageOverride
Feb 22, 2024
Merged

Dependabot alerts package override#856
tyaginidhi merged 3 commits into
mainfrom
users/nityagi/DepndabotAlertsPackageOverride

Conversation

@tyaginidhi

Copy link
Copy Markdown
Contributor

This pull request includes changes to the package.json file to specify the minimum required version of npm and to override certain package versions.

Here are the key changes:

  • package.json: The engines field now includes a specification for npm version >=8.3.0. This means that the project now requires at least version 8.3.0 of npm to run.
  • package.json: The overrides field has been added to the optionalDependencies section. This field specifies that the versions of jsrsasign and axios should be ^11.0.0 and ^0.28.0 respectively, overriding any other specified versions.

@tyaginidhi tyaginidhi marked this pull request as ready for review February 21, 2024 11:16
@tyaginidhi tyaginidhi requested review from a team as code owners February 21, 2024 11:16

@alexvy86 alexvy86 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is correct, but since we don't use npm ourselves (we use pnpm) I'm a bit unsure if what I see in the lockfile is expected. E.g. lines 754 and 749 still have the non-overridden versions, but maybe that's normal. The way you specified overrides makes sense to me according to the docs. At least I'd double check that in your local clone of the repo, node_modules/@fluidframework/azure-client/node_modules/@fluidframework/server-services-client/node_modules/axios/package.json has the expected version (something that matches (^0.28.0), and the same for jsrsasign.

@tyaginidhi

tyaginidhi commented Feb 22, 2024

Copy link
Copy Markdown
Contributor Author

I think this is correct, but since we don't use npm ourselves (we use pnpm) I'm a bit unsure if what I see in the lockfile is expected. E.g. lines 754 and 749 still have the non-overridden versions, but maybe that's normal. The way you specified overrides makes sense to me according to the docs. At least I'd double check that in your local clone of the repo, node_modules/@fluidframework/azure-client/node_modules/@fluidframework/server-services-client/node_modules/axios/package.json has the expected version (something that matches (^0.28.0), and the same for jsrsasign.

Per the npm docs this is the best way to make sure any dependency which is axios and jsrsasign will only use the version we overriden with - but yeah we would rather that packages themselves use whatever version they are bringing in - this can cause trouble later IF we miss removing these overrides- https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

Also verified the node_modules for @fluidframework/server-services-client - it does not have axios in its node_modules - so i believe its pulling the npm package from root node_modules and thats set to 0.28.0 currently - so we are good

@tyaginidhi tyaginidhi merged commit 8e60dfc into main Feb 22, 2024
@tyaginidhi tyaginidhi deleted the users/nityagi/DepndabotAlertsPackageOverride branch February 22, 2024 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants