-
Notifications
You must be signed in to change notification settings - Fork 295
Resolving Component Governance and Dependabot issues (updating package lock.json)
Don Jayamanne edited this page Jan 29, 2023
·
2 revisions
- Ensure you have the right version of node and npm (as documented in CONTRIBUTING.md
- Assume
jquery-ui
needs to be updated to a minimum of1.13.2
- Add a section in
overrides
within thepackage.json
file as follows
"overrides": { "jquery@<1.13.2": "1.13.2"
- Next run
npm install
and this will ensure thepackage-lock.json
is updated accordingly. - This will ensure any package using jquery-ui < 1.13.2 will be udpated to 1.13.2
- Try to use
<
or the like, to ensure packages can continue to use the latest versions. I.e. we don't want a package that uses jquery1.19.0
to be forced into using1.13.2
A more real world example is, if the package that depends on jquery-ui@1.12.0 later updates the jquery version to 1.13.4 as part of addressing the dependabot issue, then our fix is no longer necessary.
- Add a section in
- Avoid updating
package-lock.json
manually- Tomorrow if we end up re-generating the
package-lock.json
again, then the past updates will be lost. - Hence give preference to using
overrides
when updating packages to resolvedependabot
issues.
- Tomorrow if we end up re-generating the
- Never install packages manually as
dependencies
ordevDependencies
to address CG or dependabot issues. I.e. always specify values inoverrides
.- Except when the package is already an item within the
dependencies
ordevDependencies
section. - Basically, alway use
overrides
inpackage.json
to update nested dependencies.
- Except when the package is already an item within the
- Sometimes the
package-lock.json
could have an entry that needs to be updated without the<
range.- Assume
terser
needs to be udpated to5.14.2
, and we have added the following section into package.json
"overrides": { "terser@<5.14.2": "5.14.2"
- If you inspect
package-lock.json
you might still find a reference to5.12.2
as follows:
"terser": { "version": "5.12.1", "resolved": "https://registry.npmjs.org/terser/-/terser-5.12.1.tgz", "integrity": "sha512-NXbs+7nisos5E+yXwAD+y7zrcTkMqb0dEJxIGtSKPdCBzopf7ni4odPul2aechpV7EXNvOudYOX2bb5tln1jbQ==", "dev": true, "requires": { "acorn": "^8.5.0", "commander": "^2.20.0", "source-map": "~0.7.2", "source-map-support": "~0.5.20" },
- The only way to fix this is to remove the range specifier from the overrides as follows
"overrides": { "terser": "5.14.2"
- Then run
npm i
to cause an update of thepackage-lock.json
file. - Then update overrides to contain the range specifier again
"overrides": { "terser@<5.14.2": "5.14.2"
- Assume
- Contribution
- Source Code Organization
- Coding Standards
- Profiling
- Coding Guidelines
- Component Governance
- Writing tests
- Kernels
- Intellisense
- Debugging
- IPyWidgets
- Extensibility
- Module Dependencies
- Errors thrown
- Jupyter API
- Variable fetching
- Import / Export
- React Webviews: Variable Viewer, Data Viewer, and Plot Viewer
- FAQ
- Kernel Crashes
- Jupyter issues in the Python Interactive Window or Notebook Editor
- Finding the code that is causing high CPU load in production
- How to install extensions from VSIX when using Remote VS Code
- How to connect to a jupyter server for running code in vscode.dev
- Jupyter Kernels and the Jupyter Extension