resolve yarn.lock, bump builder version, some packaging metadata #307
Conversation
|
Happy to make any other changes, or add docs/explanations... |
There was a problem hiding this comment.
Wieee this LGTM! THANK YOU @bollwyvl !!!!!! ❤️ 🎉 🌻
@yuvipanda @manics @ryanlovett, I figured I'd squeeze this change into 3.2.0 to get rid of a security warning.
It would feel nice to have another approval of this, because I don't understand the JS world very well, and since I'd like to include it in the 3.2.0 release.
|
@consideRatio Thanks for waiting for this to merge before release! I defer to the others as well since I feel the same about JS. If there’s no activity after a long period then I can research it, though I’m guessing someone else will chime in. |
|
Btw, I've looked into the security alerts and if they are solved by this yarn.lock update - sadly, they are not. It seems that the pinnings of @jupyterlab/application and its dependencies are too stringent and still referencing the packages with vulnerabilities.
Hmmm, but wait, it seems like @bollwyvl was the versions resolved to in yarl.lock in this PR recently updated? Do you understand what held back @jupyterlab/application from resolving to something more modern, like 3.2.4 than the 3.0.7 that we got? I note that there are even versions like 3.0.12 out, so it seems strange if we ended up with 3.0.7. |
|
I've re-pushed, replacing the
That being said: it's no secret that I despise the crazy version operators. I am not the first person to misunderstand them, and guarantee I won't be the last, so these might be wrong, but a look at the delta to the |
|
https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json |
|
Sure, let's try it with |
|
I generally drop stuff into an online checker, e.g. https://jubianchi.github.io/semver-check/#/constraint/^2.0%20||%20^3.0 |
|
As, on closer inspection, we are running the tests, I've put the trove classifier back in. |
There was a problem hiding this comment.
Wieeeeeeeeeeeeeeeeeeeeeee!!! Thank you so much @bollwyvl for your thorough work with this!!!!! ❤️ 🎉
This LGTM - go for merge? If so, I'll go for a release of 3.2.0 including this finally - now with the security warnings resolved I think.
|
I'm really looking forward to this release!!! I wanted |
|
Aaaaahhh I'll go for a merge and release since I'm at the computer ready to do it right now and I think there is quite clear consensus on this change and to cut the release 3.2.0 with this added to it. |
|
I'm so excited about the new release. Could you also publish the updated version to pypi.org ASAP? |
|
@ndgayan sure can, it is available on PyPI now! |
Not knowing/using
jupyter-packagingmuch, I did the following:cd jupyterlab-server-proxy rm yarn.lock jlpm jlpm build:prodAnd seemed to have a working extension. I also bumped the version of
@jupyterlab/builderto be of the line that generatesthird-party-licenses.json: as it turns out, it only ships the shims forcss-loaderandstyle-loader. As thestyle/index.cssis actually empty, we could ship with no dependencies whatsoever without losing any functionality, which is actually quite attractive.Apropos #298, I restored one old-school compatibility name to make
jupyter serverextension enablework.I had some
pipissues (due to my environment no doubt), but rolled back any changes there except adding the relatively-new Lab trove classifiers. I've added, but commented outJupyterLab :: 2... if no longer tested, and nobody's crying out for it, I don't recommend we re-add it to the test matrix.Here's hoping CI is kind!