Dependabot alerts package override#856
Conversation
alexvy86
left a comment
There was a problem hiding this comment.
I think this is correct, but since we don't use npm ourselves (we use pnpm) I'm a bit unsure if what I see in the lockfile is expected. E.g. lines 754 and 749 still have the non-overridden versions, but maybe that's normal. The way you specified overrides makes sense to me according to the docs. At least I'd double check that in your local clone of the repo, node_modules/@fluidframework/azure-client/node_modules/@fluidframework/server-services-client/node_modules/axios/package.json has the expected version (something that matches (^0.28.0), and the same for jsrsasign.
Per the npm docs this is the best way to make sure any dependency which is axios and jsrsasign will only use the version we overriden with - but yeah we would rather that packages themselves use whatever version they are bringing in - this can cause trouble later IF we miss removing these overrides- https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides Also verified the node_modules for |
This pull request includes changes to the
package.jsonfile to specify the minimum required version ofnpmand to override certain package versions.Here are the key changes:
package.json: Theenginesfield now includes a specification fornpmversion>=8.3.0. This means that the project now requires at least version8.3.0ofnpmto run.package.json: Theoverridesfield has been added to theoptionalDependenciessection. This field specifies that the versions ofjsrsasignandaxiosshould be^11.0.0and^0.28.0respectively, overriding any other specified versions.