-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update package.json #114
Update package.json #114
Conversation
Fixes #113
removing trailing comma.
@Abhijay007 @JustinCappos I created a pull request to fix those pesky dependency vulnerabilities from dependabot. Everything looks to be working fine after following the suggestion of manually updating the trim and got packages. |
Phil I think we can add `yarn.lock` file to the `.gitignore` as there is no
need of that, once people install dependencies using`yarn install` it will
be auto generated for them, It will be great if in our documentation we
mention that we use yarn for installing node modules and one should use
yarn instead or npm for that purpose as we originally used yarn for the
node dependencies.
…On Mon, 30 Oct 2023, 20:13 Philip Lapczynski, ***@***.***> wrote:
@Abhijay007 <https://github.com/Abhijay007> @JustinCappos
<https://github.com/JustinCappos> I created a pull request to fix those
pesky dependency vulnerabilities from dependabot. Everything looks to be
working fine after following the suggestion of manually updating the trim
and got packages.
—
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APLHP3XVKSVMQSDWC4PI6ATYB64IHAVCNFSM6AAAAAA6WDWGBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBVGM3DSOJWGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@Abhijay007 according this this it is best practice to version your yarn.lock. https://stackoverflow.com/questions/39990017/should-i-commit-the-yarn-lock-file-and-what-is-it-for Having the traceability in the repository helps prevent 'works on my machine' bugs. |
Ya according to this It's LGTM
…On Mon, 30 Oct 2023, 21:15 Philip Lapczynski, ***@***.***> wrote:
@Abhijay007 <https://github.com/Abhijay007> according this this it is
best practice to version your yarn.lock.
https://stackoverflow.com/questions/39990017/should-i-commit-the-yarn-lock-file-and-what-is-it-for
—
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APLHP3UHSYPI63AG5PUPH7TYB7DRFAVCNFSM6AAAAAA6WDWGBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBVGUYDAOBSHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Here is the docu from the official yarn site about it... Check into source controlAll yarn.lock files should be checked into source control (e.g. git or mercurial). This allows Yarn to install the same exact dependency tree across all machines, whether it be your coworker’s laptop or a CI server. Framework and library authors should also check yarn.lock into source control. Don’t worry about publishing the yarn.lock file as it won’t have any effect on users of the library. |
Ya this makes much sense now, thanks for sharing we can keep the yarn.lock
files
…On Mon, 30 Oct 2023, 21:22 Philip Lapczynski, ***@***.***> wrote:
Here is the docu from the official yarn site about it...
Check into source control
All yarn.lock files should be checked into source control (e.g. git or
mercurial). This allows Yarn to install the same exact dependency tree
across all machines, whether it be your coworker’s laptop or a CI server.
Framework and library authors should also check yarn.lock into source
control. Don’t worry about publishing the yarn.lock file as it won’t have
any effect on users of the library.
See https://yarnpkg.com/blog/2016/11/24/lockfiles-for-all/.
—
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APLHP3QZWNR7S4HIDZP4SUTYB7EKZAVCNFSM6AAAAAA6WDWGBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBVGUYTINRVGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Summary of Changes
Created dependency resolutions to fix the following dependabot alerts.
https://github.com/uptane/uptane.github.io/security/dependabot/1
https://github.com/uptane/uptane.github.io/security/dependabot/2
Related Issue
Closes #113
Checklist
Screenshots (if applicable)
Attach any screenshots or images related to the changes.
Additional Context
Add any additional context or information that might be helpful for reviewers.
Reviewer(s)
@mention any specific reviewers or tag relevant team members.