Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix npm audit issues #8

Merged
merged 1 commit into from Aug 9, 2019

Conversation

@Jimexist
Copy link
Contributor

commented Aug 9, 2019

ran

npm audit fix
npm audit
@Jimexist

This comment has been minimized.

Copy link
Contributor Author

commented Aug 9, 2019

there's prototype pollution issue with lodash

@ljharb

ljharb approved these changes Aug 9, 2019

Copy link
Contributor

left a comment

semver means this is automatic, unless you have a lockfile (which we discourage for packages)

@Jimexist

This comment has been minimized.

Copy link
Contributor Author

commented Aug 9, 2019

@ljharb that makes sense - but this probably (only) helps with this package development per-sey

@Jimexist Jimexist merged commit c14fa3a into master Aug 9, 2019

2 checks passed

Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details

@Jimexist Jimexist deleted the fix-npm-audit-issues branch Aug 9, 2019

@Jimexist

This comment has been minimized.

Copy link
Contributor Author

commented Aug 9, 2019

@ljharb i am sure that published files don't contain that lock?

@ljharb

This comment has been minimized.

Copy link
Contributor

commented Aug 9, 2019

You’re correct - package-lock is a dev-only lockfile, so it only protects/affects developers, which is the reason it’s not a good idea on libraries :-)

@Jimexist

This comment has been minimized.

Copy link
Contributor Author

commented Aug 9, 2019

@ljharb do you know a way to disable that? i'd think that at least it'll help to make development environment more reproducible

@ljharb

This comment has been minimized.

Copy link
Contributor

commented Aug 9, 2019

Yep! add package-lock=false to .npmrc and gitignore the 3 lockfile filenames.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.