pin dependencies from yarn.lock to package.json#244556
pin dependencies from yarn.lock to package.json#244556delanni merged 22 commits intoelastic:mainfrom
yarn.lock to package.json#244556Conversation
|
Pinging @elastic/kibana-operations (Team:Operations) |
…n' into delanni-pin-dependencies-in-package.json
| if (typeof version !== 'string') continue; | ||
|
|
||
| if (version.startsWith('^') || version.startsWith('~')) { | ||
| deps[name] = version.slice(1); |
There was a problem hiding this comment.
I'm not sure this is the correct fix.
^1.2.4 might refer to anything within the 1.x.x scope, so correcting it to 1.2.4 might be a downgrade. I think a more appropriate fix here could be to look up the resolved version of that package, either from node_modules/*/package.json or from yarn.lock.
There was a problem hiding this comment.
This is meant to be a quick check for the new added ones from now on so what we change at this PR will be the baseline going forward. In any case its your PR and what you mentioned is a richer solution.
azasypkin
left a comment
There was a problem hiding this comment.
Changes in .buildkite/scripts/steps/security/third_party_packages.txt LGTM. Thanks!
(Optional) It would be great if we could add some documentation to the code for src/dev/no_pkg_semver_ranges/index.ts to explain exactly what this script does, when it runs, and how it affects existing entries in package.json.
…otstrap' locally and then commit the changes and push to your branch
| const PKG_JSON_PATH = resolve(REPO_ROOT, 'package.json'); | ||
| const YARN_LOCK_PATH = resolve(REPO_ROOT, 'yarn.lock'); | ||
| const DEPENDENCIES_FIELDS = ['dependencies', 'devDependencies'] as const; | ||
| const RESOLUTIONS_FIELD = 'resolutions'; |
There was a problem hiding this comment.
@mistic I'm not sure if we should treat the resolutions field the same way, I'm afraid we can't find what's the correct resolved version for these patterns, for example a packageA/packageB/**/packageC rule like this is hard to track down. So I left the resolution step to be a manual update.
There was a problem hiding this comment.
its up to you. Im okay either way
| const PKG_JSON_PATH = resolve(REPO_ROOT, 'package.json'); | ||
| const YARN_LOCK_PATH = resolve(REPO_ROOT, 'yarn.lock'); | ||
| const DEPENDENCIES_FIELDS = ['dependencies', 'devDependencies'] as const; | ||
| const RESOLUTIONS_FIELD = 'resolutions'; |
There was a problem hiding this comment.
This const is not used currently
💚 Build Succeeded
Metrics [docs]
History
|
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Summary
Closes #243396