You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Request to remove "package-lock.json" to allow consumers to install the latest security fixes for all transitive dependencies based on semvers defined in "package.json"
#273
Closed
mpawlow opened this issue
May 16, 2024
· 1 comment
The package-lock.json is locking down library versions for all transitive (child) dependencies in the hierarchy
Problem: This prevents the consuming service that is installing this library to automatically pick-up the latest security fixes based on the semvers defined in package.json and all child dependencies
e.g. We typically run npm update to pull in the latest library versions
Also, it defeats the npm tree-shaking mechanism to consolidate duplicate library versions into single version based on semver restrictions
Note: Including package-lock.json at the library level doesn't seem to be an industry standard or best practice based on the most popular Node libraries in the ecosystem
From a DevOps perspective, only top level services that include these libraries should define a package-lock.json when deploying the app to different environments (DEV, QA, PROD)
Solution: The request is to simply remove and do not generate the package-lock.json file
mpawlow
changed the title
Request to remove the "package-lock.json" to allow consumers to install the latest security fixes based on semvers defined in "package.json" and transitive dependencies
Request to remove "package-lock.json" to allow consumers to install the latest security fixes for all transitive dependencies based on semvers defined in "package.json"
May 16, 2024
Overview
Problem
: This prevents the consuming service that is installing this library to automatically pick-up the latest security fixes based on the semvers defined in package.json and all child dependenciesnpm update
to pull in the latest library versionsSolution
: The request is to simply remove and do not generate thepackage-lock.json
fileRelated Issues (regarding packaging)
The text was updated successfully, but these errors were encountered: