Moving to lock file + adding package audit action config #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
minond
changed the title
minond
changed the title
sambev
reviewed
Nov 2, 2022
| node-version: 16 | ||
| cache: npm | ||
|
|
||
| - run: npm audit --omit dev |
There was a problem hiding this comment.
Curious, why --omit dev vs --production? Is there even a difference?
There was a problem hiding this comment.
I guess reading it may just be shorthand:
either via the --omit config, or one of the shorthands such as --production, --only=dev
There was a problem hiding this comment.
I believe they're equivalent in this case.
sambev
approved these changes
Nov 2, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes failing build in downstream projects. I'm not sure why a dev dependency is causing
npm audit --omit devto fail in the Web Widget SDK (the dependency that is causing the failure is a dev dependency), but I think it may have something to do with the fact that this project uses a shrinkwrap instead of a lock file. I'll look into this in the future, for now I'm just upgrading the dependency.In addition, a new Action is added to run an npm audit on every PR and every month on a schedule.
EDIT: this is because of the shrinkwrap, here's an issue detailing the bug: npm/cli#4323, no solution is mentioned so I'm going to switch back to a regular lock file.