-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ls): make --omit
filter npm ls
#4744
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lukekarrys
force-pushed
the
lk/omit-ls
branch
2 times, most recently
from
April 13, 2022 17:53
85433d1
to
cc32a51
Compare
wraithgar
approved these changes
Apr 13, 2022
no statistically significant performance changes detected timing results
|
lukekarrys
force-pushed
the
lk/omit-ls
branch
2 times, most recently
from
April 13, 2022 21:45
9b3dac9
to
4ff2050
Compare
This makes `npm ls` use the same logic as other commands (eg `outdated`) when parsing config items that filter the output based on package type. Previously `--development` and `--production` has special semantics when used with `npm ls` that were inconsistent with the rest of the CLI. To achieve the same behavior as these deprecated flags use: - in place of `--development` use `--omit peer --omit prod --omit optional` - in place of `--production` use `--omit dev --omit peer` Fixes #4739
Merged
wraithgar
added a commit
that referenced
this pull request
Apr 19, 2022
tap snapshots don't fail if there are extra snapshots that aren't evaluated during the course of a test. There were tests removed in #4744 that didn't get removed from snapshots. This removes those snapshots
trentm
added a commit
to elastic/apm-agent-nodejs
that referenced
this pull request
Jul 18, 2022
The "Dist" step in the release process in Jenkinsfile was failing with npm ERR! code ELSPROBLEMS npm ERR! missing: @babel/cli@^7.8.4, required by elastic-apm-node@3.37.0 ... ditto for every *dev* dependency ... The part that was actually failing was 'npm ls --omit=dev --all --parseable' in "gen-notice.sh" when run in a dist try that only has the non-dev deps installed. The issue was a too-old npm: node 16.15.0 includes npm 8.5.5, but we require npm v8.7.0 to get support for 'npm ls --omit=dev ...' (npm/cli#4744).
trentm
added a commit
to elastic/apm-agent-nodejs
that referenced
this pull request
Jul 19, 2022
The "Dist" step in the release process in Jenkinsfile was failing with npm ERR! code ELSPROBLEMS npm ERR! missing: @babel/cli@^7.8.4, required by elastic-apm-node@3.37.0 ... ditto for every *dev* dependency ... The part that was actually failing was 'npm ls --omit=dev --all --parseable' in "gen-notice.sh" when run in a dist try that only has the non-dev deps installed. The issue was a too-old npm: node 16.15.0 includes npm 8.5.5, but we require npm v8.7.0 to get support for 'npm ls --omit=dev ...' (npm/cli#4744).
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this pull request
Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this pull request
Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this pull request
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this pull request
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires
added a commit
to undergroundwires/privacy.sexy
that referenced
this pull request
Aug 8, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.
LarrMarburger
added a commit
to LarrMarburger/privacy.sexy
that referenced
this pull request
Nov 16, 2023
This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes
npm ls
use the same logic as other commands (egoutdated
)when parsing config items that filter the output based on package type.
Previously
--development
and--production
has special semantics whenused with
npm ls
that were inconsistent with the rest of the CLI. Toachieve the same behavior as these deprecated flags use:
--development
use--omit peer --omit prod --omit optional
--production
use--omit dev --omit peer
Fixes #4739