You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
The package-lock.json system is entirely useless for us, at the moment.
Take the following situation
A depends on B
B defines a dependency C
now, C has some security issue
you decide to manually patch C in your root (A's) package-lock.json
this work's fine. However you don't want to npm i C --save because you don't want to explicitly rely on C. You just want to fix this goddamn security issue, because B doesn't do it
now. This goes well for a while.
if you update B npm will OVERRIDE your package-lock rules on C
this just wtf's the sh** out of me. Now I even have a git-diff script that only does the following task:
remove the updates from npm update concerning the package C
How can the CLI team reproduce the problem?
This is not a generally a "reproducible bug" type of bug. It is, as far as I understand from #17979 that this is a general concept issue with package-lock
If you still need to reproduce this, here's our situation:
our package @inexorgame/treeclient depends on node-rest-client depends on debug@2.2.0 <- vulnerable
our package @inexorgame/inexor-flex depends on @inexorgame/treeclient
now, whenever we increase the patch version of @inexorgame/treeclient, we have to manually fix our package-lock.json again.
I'm opening this issue because:
What's going wrong?
The
package-lock.json
system is entirely useless for us, at the moment.Take the following situation
npm i C --save
because you don't want to explicitly rely on C. You just want to fix this goddamn security issue, because B doesn't do itnpm update
concerning the package CHow can the CLI team reproduce the problem?
This is not a generally a "reproducible bug" type of bug. It is, as far as I understand from #17979 that this is a general concept issue with
package-lock
If you still need to reproduce this, here's our situation:
@inexorgame/treeclient
depends onnode-rest-client
depends ondebug@2.2.0
<- vulnerable@inexorgame/inexor-flex
depends on@inexorgame/treeclient
@inexorgame/treeclient
, we have to manually fix ourpackage-lock.json
again.supporting information:
npm -v
prints: 5.5.1node -v
prints: v8.4.0npm config get registry
prints: https://registry.npmjs.org/The text was updated successfully, but these errors were encountered: