Closed ChiaMineJP closed 4 months ago
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/electron-playwright-helpers@1.7.1 | filesystem Transitive: environment, shell | +13 |
433 kB | jjeff |
npm/lerna@8.1.3 | environment, filesystem, network, unsafe Transitive: eval, shell | +479 |
51.4 MB | jameshenry |
npm/nx@19.0.1 | environment, filesystem, network, shell, unsafe Transitive: eval | +103 |
91.7 MB | nrwl-jason |
npm/source-map-loader@4.0.2 | None | +2 |
218 kB | evilebottnawi |
npm/typescript@5.4.5 | None | 0 |
32.4 MB | typescript-bot |
npm/victory@36.9.2 | None | +54 |
32.4 MB | formidablelabs |
🚮 Removed packages: npm/electron-playwright-helpers@1.6.0, npm/lerna@7.1.5, npm/nx@16.7.2, npm/source-map-loader@4.0.1
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎
This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.
I tested the following items and confirmed all ok.
npm i
npm run build
npx lerna run dev:skipLocales --scope=@chia-network/gui
(Launch GUI)Tested OSes
chown root:root node_modules/electron/dist/chrome-sandbox; chmod 4755 node_modules/electron/dist/chrome-sandbox
)
This PR looks like just updating
lerna
version but it does not such simple.Steps to reproduce this change
main
branchpackage-lock.json
andnode_modules
.npm cache clean -f
package.json
like below then runnpm i
lerna
version to "8.1.3"nx
version to19.0.1
package.json
.Why such complicated?
My environment: m1 Mac 14.3.1, NodeJS 18.20.3, npm 10.8.0
At first I just incremented lerna version to
8.1.3
. From that point,npm run build
keeps failing with the strange messageAfter some investigation, I found that the version of
node_modules/tar/node_modules/minipass
was incorrectly set to3.3.6
wheretar
specifies the version to^5.0.0
.I suspect that with workspace and multiple child package dependencies,
npm
was confused and set wrong versions when creatingpackage-lock.json
.Failed challenge
Challenge 1
main
node_modules
"lerna": "8.1.3",
in the rootpackage.json
npm i
npm run build
<-- This failsChallenge 2
main
node_modules
andpackage-lock.json
package.json
, set"lerna": "8.1.3"
, remove"nx": "16.7.2"
npm i
npm run build
<-- This succeedsnpx lerna run dev:skipLocales --scope=@chia-network/gui
to start GUI <-- GUI crashes with an error(0 , tslib__WEBPACK_IMPORTED_MODULE_4__.__spreadArray) is not a function
Lessons learned
package.json
is the same, the content ofpackage-lock.json
differs according to previouspackage-lock.json
andnode_modules
content.lerna
depends onnx
andnx
has several optional dependencies for various OSes. This messes uppackage-lock.json
. When I removednx
from top-level dependencies in the rootpackage.json
and rannpm i
, it generatedpackage-lock.json
which specifies one of the optional dependencies only for MacOS. Of cource, thispackage-lock.json
fails except for macOS.