-
Notifications
You must be signed in to change notification settings - Fork 979
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check if package-lock.json was changed and fail the build (Mobile only) #6915
Conversation
Pull Request Checklist
|
ci/common.groovy
Outdated
@@ -53,14 +53,20 @@ def installJSDeps(platform) { | |||
def attempt = 1 | |||
def maxAttempts = 10 | |||
def installed = false | |||
def errroCode = 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Output for |
@@ -8791,7 +8791,9 @@ | |||
} | |||
}, | |||
"react-native-http-bridge": { | |||
"version": "git+https://github.com/status-im/react-native-http-bridge.git#214301a806743d0ce04f4559c3d55b3e8ff95f5d" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@flexsurfer @yenda so we have switched from our own fork of the react-native-http-bridge
back to the npm version, right?
Continuing my adventures. |
I know we tried moving to yarn before and abandoned that for some reason, but haven't come across a write-up of what happened. It does seem to be something we'd want to do sooner rather than later, especially before Reproducible Builds. |
Okay, I will try to switch us to Yarn, let's close this PR for now. |
Due to vulnerabilities, like the one found in event-stream, we can't trust npm even when locking the version numbers.
Hence, we are trying to mitigate similar issues by checking if
package-lock.json
was updated afternpm install
and failing the build if it was.The lock file contains a checksum of the minified package, so if someone updates it but keeps the same version, this script should detect it.
package-lock.json
contentnpm install
package.json
are lockedfixes #6906
status: ready