Don't override user specified depth in outdated #239
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Restores ability to update packages using `--depth` as suggested by `npm audit`. i.e `npm update eslint-utils --depth 2`.
|
I came across another PR related to infinity regressions which casts a little light on the original use of the infinity magic value to have different default behaviours in different commands: npm/npm#11726 (And like @G-Rath, not sure if that value is still relevant!) |
|
Thanks, this is definitely a bug. |
|
https://docs.npmjs.com/misc/config#depth
|
This was referenced Oct 26, 2019
This was referenced Nov 5, 2019
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 14, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? As a workaround, I've added exceptions where npm wasn't able to fixup vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 14, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 15, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
|
Seem to be experiencing this in npm
Update |
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
to mozilla/fxa
that referenced
this pull request
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
This was referenced Dec 5, 2019
This was referenced Dec 18, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Restores ability to update packages using
--depthas suggested bynpm audit.i.e
npm update eslint-utils --depth 2.I've restored the previous conditional check, which was against
Infinity; however I've never worked innpm/clibefore, so don't know if that value still holds water :)How it is currently means the
npm update <package> --depth <depth>commands suggested bynpm auditwon't work, as anydepthvalue is clobbered to0if it's anything but, resulting in empty output.This is the related community bug report.
Since this was included in v6.6.0 onwards, it effects all versions of Node from
11.10.0onwards, as well as10.16.0+