Skip to content
This repository has been archived by the owner on May 6, 2022. It is now read-only.

Cannot update to semantic-release/npm v7.1.0 #681

Closed
amclin opened this issue Apr 9, 2021 · 2 comments
Closed

Cannot update to semantic-release/npm v7.1.0 #681

amclin opened this issue Apr 9, 2021 · 2 comments
Labels
bug Something isn't working dependencies Pull requests that update a dependency file released

Comments

@amclin
Copy link
Owner

amclin commented Apr 9, 2021

@semantic-release/npm v7.1.0 and later introduce a breaking change because they introduce NPM 7. NPM 7 fails to play nicely on Node 12 or 14 when run from a spawned child process
#679

See semantic-release/npm#357
@amclin amclin added bug Something isn't working dependencies Pull requests that update a dependency file labels Apr 9, 2021
@amclin
Copy link
Owner Author

amclin commented Apr 13, 2021

Root cause is two-fold.

  1. The package used for code coverage badges, jest-coverage-badges has a dependency with security issues: Update makedir dependency to resolve known security issue pamepeixinho/jest-coverage-badges#19
  2. When executing NPM 7, running from within an NPM 6 subthread, the npm install command has a non-zero exit code because of the audit step reporting dependency warnings.

Solutions:

  • Mess around with which NPM binary is executed Updating from 7.0.10 to 7.1.0 breaks npm install when running on Node 12 or 14 with NPM 6.X semantic-release/npm#357 (comment)
    • This probably is a non-starter for this project because it could be quite difficult to achieve reliably in an OS-agnostic way
  • Set --no-audit flag on the npm install command so that the security warning doesn't break the process
    • Reliable, but hides potential security holes in dependencies. May be mitigated by GitHub's dependency alerts.
  • Remove jest-coverage-badges
    • Reliable for this one instance, but could happen again for any other package. Would also mean losing or replacing the code coverage badges capability in generated projects
  • Wait for jest-coverage-badges to update to eliminate the dependency's security flaw

amclin added a commit that referenced this issue Apr 22, 2021
@amclin
feat(deps): include jest-coverage-badges only when needed
3227983 
Switches to dynamically install when running the badge generation step using npx instead
of including immediately as a dev dependency. This solves some security implications
caused by the module having some outdated dependencies that are reported by `npm audit`
and cause a unit test failure (see #681)

This improves the situation for `jest-coverage-badges` in particular, but does not provide
a universal solution for other dependencies that could cause the same problem in the future.
@amclin amclin mentioned this issue Apr 22, 2021
Merged
amclin pushed a commit that referenced this issue Apr 22, 2021
@semantic-release-bot
chore(release): 3.15.0 [skip ci]
919faea 
# [3.15.0](v3.14.5...v3.15.0) (2021-04-22)

### Bug Fixes

* **deps:** use npx command save for NPM v6 ([c20ff61](c20ff61))

### Features

* **deps:** include `jest-coverage-badges` only when needed ([3227983](3227983)), closes [#681](#681)
@amclin
Copy link
Owner Author

amclin commented Nov 3, 2021

No longer a problem now that jest-badges is dynamically included and Node 12 has been dropped with v4

@amclin amclin closed this as completed Nov 3, 2021
@amclin amclin added the released label Nov 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working dependencies Pull requests that update a dependency file released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amclin