-
Notifications
You must be signed in to change notification settings - Fork 348
Resolving Component Governance and Dependabot issues (updating package lock.json)
Don Jayamanne edited this page Jan 29, 2023
·
2 revisions
- Ensure you have the right version of node and npm (as documented in CONTRIBUTING.md
- Assume
jquery-uineeds to be updated to a minimum of1.13.2- Add a section in
overrideswithin thepackage.jsonfile as follows
- Next run
npm installand this will ensure thepackage-lock.jsonis updated accordingly. - This will ensure any package using jquery-ui < 1.13.2 will be udpated to 1.13.2
- Try to use
<or the like, to ensure packages can continue to use the latest versions. I.e. we don't want a package that uses jquery1.19.0to be forced into using1.13.2A more real world example is, if the package that depends on [email protected] later updates the jquery version to 1.13.4 as part of addressing the dependabot issue, then our fix is no longer necessary.
- Add a section in
- Avoid updating
package-lock.jsonmanually- Tomorrow if we end up re-generating the
package-lock.jsonagain, then the past updates will be lost. - Hence give preference to using
overrideswhen updating packages to resolvedependabotissues.
- Tomorrow if we end up re-generating the
- Never install packages manually as
dependenciesordevDependenciesto address CG or dependabot issues. I.e. always specify values inoverrides.- Except when the package is already an item within the
dependenciesordevDependenciessection. - Basically, alway use
overridesinpackage.jsonto update nested dependencies.
- Except when the package is already an item within the
- Sometimes the
package-lock.jsoncould have an entry that needs to be updated without the<range.- Assume
terserneeds to be udpated to5.14.2, and we have added the following section into package.json
"overrides": { "terser@<5.14.2": "5.14.2"
- If you inspect
package-lock.jsonyou might still find a reference to5.12.2as follows:
"terser": { "version": "5.12.1", "resolved": "https://registry.npmjs.org/terser/-/terser-5.12.1.tgz", "integrity": "sha512-NXbs+7nisos5E+yXwAD+y7zrcTkMqb0dEJxIGtSKPdCBzopf7ni4odPul2aechpV7EXNvOudYOX2bb5tln1jbQ==", "dev": true, "requires": { "acorn": "^8.5.0", "commander": "^2.20.0", "source-map": "~0.7.2", "source-map-support": "~0.5.20" },
- The only way to fix this is to remove the range specifier from the overrides as follows
"overrides": { "terser": "5.14.2"
- Then run
npm ito cause an update of thepackage-lock.jsonfile. - Then update overrides to contain the range specifier again
"overrides": { "terser@<5.14.2": "5.14.2"
- Assume
- Contribution
- Source Code Organization
- Coding Standards
- Profiling
- Coding Guidelines
- Component Governance
- Writing tests
- Kernels
- Intellisense
- Debugging
- IPyWidgets
- Extensibility
- Module Dependencies
- Errors thrown
- Jupyter API
- Variable fetching
- Import / Export
- React Webviews: Variable Viewer, Data Viewer, and Plot Viewer
- FAQ
- Kernel Crashes
- Jupyter issues in the Python Interactive Window or Notebook Editor
- Finding the code that is causing high CPU load in production
- How to install extensions from VSIX when using Remote VS Code
- How to connect to a jupyter server for running code in vscode.dev
- Jupyter Kernels and the Jupyter Extension