New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no name, version in package.json → broken Node Security Project #1454
Comments
I think you’ll find lerna 3 doesn’t mangle as much as v2, if you insist on using the hacky bootstrap method. |
I tried 3.0.0-beta.20, @evocateur, but ran into #1419 forced hoisting with incorrect paths. If someone is willing to fix the hoisting or give me some hints on where in the code to fix it myself, I'll give it another shot with my full repo and isolating the incorrect paths part if it's still happening in beta 21. |
I don't understand your reticence to "hoist" your devDependencies to the root. It's how lerna should have behaved in the first place, imo. |
Yeah, let's unpack it. Why not.
All that said:
Remaining concerns:
Zooming out, I'm getting the feel you're doubling down on support for monorepo management for packages which ship together as version-synchronised shards e.g. Turf and drifting away from support — which might have been accidental — for closed source internal teams using Lerna while shipping packages that ship separately with distinct versions. Which is fine, but let's call it out early so everyone in the latter category can make plans. |
Lerna automatically rewrites local path dependencies to monorepo packages during publishing. It's how I've published the last 9-10 |
Lerna itself has been dogfooding the relative file specifiers for almost all of the 3.0 betas so far.
Nothing has changed (nor will change) to our support for “independent” versioning. I switched a few internal monorepos to it just last week.
A dev dependency that takes 15 minutes to install sounds like a nightmarish urban legend. I don’t think it’s lerna’s responsibility to fix that, though you have my sympathy.
… On Jun 14, 2018, at 19:36, Pat Cavit ***@***.***> wrote:
Lerna automatically rewrites local path dependencies to monorepo packages during publishing. It's how I've published the last 9-10 modular-css releases.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Plain nightmare, I'm afraid. Try installing I'll double-check our workflow to see if we're up for |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
1 similar comment
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Due to
lerna bootstrap
runningnpm install
with a thinnedpackage.json
, thepackage-lock.json
produced bynpm
lacks thename
field required bynsp
, the Node Security Project. This is similar to #1415's lack of an updatedversion
.Expected Behavior
→
… indicating success.
Current Behavior
… because there's no
name
orversion
inpackage-lock.json
.Possible Solution
Write
name
andversion
to the temporarypackage.json
Steps to Reproduce (for bugs)
This isn't a buggy implementation. Rather, it's correct implementation of an insufficiently good definition of "done". Easily fixed, but I'll skip the repro if you don't mind.
lerna.json
Context
I can't check to see if any of my dependencies have security vulnerabilities.
I'm trying to use
nsp
to check to see if any of my dependencies have security vulnerabilities.Your Environment
lerna --version
npm --version
node --version
The text was updated successfully, but these errors were encountered: