New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore: npm audit fix #8480
Chore: npm audit fix #8480
Conversation
Looks like
Here is an excerpt of the errors:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need some insight @ShukantPal
(node:4199) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'map' of undefined
at mangled (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/model/lib/doc.js:296:50)
at discoverMembers (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/mod-discover-members.js:53:45)
at ensureDiscovered (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/mod-discover-members.js:21:3)
at discoverMembers (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/mod-discover-members.js:81:5)
at discover (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/mod-discover-members.js:116:3)
at Object.discover [as mod] (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/mod-discover-members.js:120:7)
at mod (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/transformer/document-tree-modifiers.js:66:22)
at parse (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/parser/lib/parse.js:82:38)
at async main (/home/runner/work/pixijs/pixijs/node_modules/@webdoc/cli/lib/index.js:136:5)
Related, I wish that webdoc threw an exit value of > 0, this crash does not fail the process, which it should IMO.
Ha, I missed that one, indeed that's a new error that wasn't there before. Downgrading to
I agree |
Here are the lines that pixijs/packages/display/src/DisplayObject.ts Lines 1015 to 1021 in 2e6255b
It's expecting the methods to have parameters when it mangles it, but the method has no parameter |
We can fix the problem by downgrading to Because That being said, an issue has probably been introduced between |
Preference would be downgrade while webdoc works on the issue. |
I downgraded all As it would only be a temporary solution to pin down the version, and that we can't add comments in the |
Pinning in the package.json is okay to ~1.5.5, I'm not sure how long it will be fixed so make sure that's reflected in the dependencies is more helpful than just having it be in the lock. |
With npm, we can't directly pin a sub-dependency. With: {
"devDependencies": {
"@webdoc/cli": "~1.5.5",
"@webdoc/parser": "~1.5.5",
"@webdoc/model": "~1.5.5",
}
} Running So I'll have to add: {
"overrides": {
"@webdoc/parser": "~1.5.5",
"@webdoc/model": "~1.5.5"
}
} Which only works since NPM v8.3.0 |
There's a slight problem with this approach and requiring npm >= 8.3.0 See this version bumping script: https://github.com/pixijs/pixijs/blob/dev/package.json#L34 We use a specific version of npm@7 to do the version bump on the lock file (see #7396) to workaround a bug in Lerna, which looks like it may have been fixed (lerna/lerna#3091). We probably need to update Lerna before we change this. |
Yes, that's problematic, when a minor update on sub-dependency has a blocking issue, we had to add a lot of stuff to fix it on previous version of NPM. The issue is already present on the repo, any I opened this PR not only to fix some security issues, but also to "clean" the Lerna v4 has a lot of deprecated dependencies and a security issue that can only be fixed by manually upgrading to Lerna v5. But we can also do it the other way arround (upgrade lerna first and then run |
The fix is in webdoc@2.0.0 :) |
webdoc@2.0.0 also has no deprecated [transitive] dependencies too |
Hello, I came across your issue by looking at the recent PR in Lerna, I could suggest an alternative which would be to use Lerna-Lite, it's a smaller and more modular fork of Lerna, I created the fork when Lerna was nearly dead and that was before Nrwl came over. The commands are the same and I keep PRs in sync with Lerna but I also added extra features which might be useful in your use case, I have this option Also note that the recent version of Lerna, v5.2.0 and higher, will also install Nx (want it or not) because they made Nx as a dependency, however in Lerna-Lite Nx remains totally optional. If this doesn't help with your use case then just please disregard my comment |
I'm going to close this. I think we are ready for a new audit of dev since we've moved our v7 development there. Likely, we'll have a few more prereleases to iron-out any issues. |
Description of change
Update the
package-lock.json
usingnpm audit fix
to fix auto-fixable security issues.Pre-Merge Checklist
npm run lint
)npm run test
)