switch to audit-filter from npm package #5061
Conversation
package.json
Outdated
| @@ -71,6 +72,7 @@ | |||
| "istanbul-middleware": "0.2.2", | |||
| "mocha": "5.2.0", | |||
| "node-sass": "4.9.4", | |||
| "npm": "^6.4.1", | |||
There was a problem hiding this comment.
npm (I believe from npm-run-all) is otherwise on 4.X, which doesn't support npm audit --json
There was a problem hiding this comment.
Hmm. I think the right way to do this would be to set the correct minimum npm version in the engines section, then maybe also add a config to set engine-strict to true? Might also want to bump the minimum node version in engines to the minimum for npm 6.4.1 to work; it's probably higher than 8.0.0, the current minimum.
package.json
Outdated
| @@ -53,6 +53,7 @@ | |||
| }, | |||
| "devDependencies": { | |||
| "addons-linter": "1.3.6", | |||
| "audit-filter": "^0.3.0", | |||
There was a problem hiding this comment.
This should be the exact version, "0.3.0"
package.json
Outdated
| @@ -71,6 +72,7 @@ | |||
| "istanbul-middleware": "0.2.2", | |||
| "mocha": "5.2.0", | |||
| "node-sass": "4.9.4", | |||
| "npm": "^6.4.1", | |||
There was a problem hiding this comment.
Hmm. I think the right way to do this would be to set the correct minimum npm version in the engines section, then maybe also add a config to set engine-strict to true? Might also want to bump the minimum node version in engines to the minimum for npm 6.4.1 to work; it's probably higher than 8.0.0, the current minimum.
g-k
force-pushed
the
audit-filter-from-npm
branch
2 times, most recently
from
76ee4c7 to
3b24171
Compare
|
@g-k Thanks for the update, looks good. I'll deal with the package-lock issues |
|
Aha. Looks like the gigantic list of integrity updates from sha512 down to sha1 is a platform difference between linux and mac. Software is hard, I guess npm/npm#17749 |
And, in classic "new npm" style, the bug was closed with no resolution |
|
Actually...the sha1 and sha512 changes seem totally random, and I'm getting them when regenerating package-lock on my machine. On the latest 6.4.1 version of npm. wtf? Why do we even bother with package-lock? |
jaredhirsch
force-pushed
the
audit-filter-from-npm
branch
from
3b24171 to
c54a9de
Compare
|
Hmm, still seeing package-lock.json conflicts. I guess I'll blow away the entire file and try again for a second time. |
|
Note test failures are due to a regression in master |
refs: #4948
NB: CI still fails because we haven't addressed some new advisories (they mostly look like lower priority ReDoSes).
r?