Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
erickzhao
changed the title
Member
Author
|
Note that this PR is also blocking releases in |
Member
Author
|
@SocketSecurity ignore npm/jws@3.2.3 seems fine |
VerteDinde
approved these changes
Dec 18, 2025
VerteDinde
approved these changes
Dec 18, 2025
erickzhao
added a commit
that referenced
this pull request
Dec 18, 2025
erickzhao
added a commit
that referenced
this pull request
Dec 18, 2025
erickzhao
added a commit
that referenced
this pull request
Dec 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Our
inittests have a release blocking issue at the momentGiven:
yarn lerna:version, which bumps all versions in Electron Forge to the next semantic release version without tagging or releasing.Then:
inittests run against the current build of Forge. They will attempt to install an unreleased version for any version bump PR and the tests will fail.For an example of this in action, see #4094.
Solution
Verdaccio is an npm proxy registry. This PR adds a new
spawn-verdaccio.tstool script that runs a new instance of the registry on localhost and runs thelerna publishcommand on Forge with the--registryflag pointing to Verdaccio.Then, the script will attempt to run any command that it's fed through args with an additional set of environment variables to correctly point the package manager to Verdaccio (
NPM_CONFIG_REGISTRY,YARN_NPM_REGISTRY_SERVER,YARN_UNSAFE_HTTP_WHITELIST).Alternatives considered
Initially, I tried to modify
initLinkto point all Forge deps tofile:protocol. This worked fine withnpm, but fell apart a bit with Yarn and pnpm when dealing with theworkspace:protocol (albeit I also tried to wire up localnode_modulesdependencies viafile:protocol as well and that caused more issues).In the end, I chose the Verdaccio solution since it's package manager-agnostic. It's not a perfect replacement for
initLinksince it doesn't respond to changes in the original JavaScript code (it just tarballs thedistfolder), but works well in tests and CI.Caveats
lerna publish(even to Verdaccio) requires a clean working tree, so you'll need to commit all changes before runningyarn test:verdaccio. Any tests that leave committable artifacts will also mess up the Verdaccio tests because Lerna will be unable to publish.yarn config setdynamically in CI will cause these tests to fail because it modifies.yarnrc.ymlon the fly.inittests currently run against Verdaccio, but there might be room in the future to do so with other tests that install deps (e.g. TypeScript template tests).