Closed mpawlow closed 4 months ago
We already do not include the package-lock.json
in our published module so there is nothing to remove. The source package-lock.json
should have no impact on downstream consumers.
We do pin dependency versions in our package.json
to the versions that we have tested and can support.
We resolve CVEs and publish new versons as soon as possible.
It is also possible to override dependencies in your own project's manifests if you like. Although at this point in time for this particular case there are no new versions available to use. If ibm-cloud-sdk-core
releases a new version without the expect
dependency then rest asssured we will update and test soon after.
Confirmed.
Thanks for the quick response.
Now the micromatch
and braces
modules have had updates released running npm update
should resolve this problem. New releases of node-sdk-core
and cloudant-node-sdk
are not required because the fixed transitive packages are within the existing acceptable dependency version ranges.
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
Solution
: The request is to simply remove and do not generate thepackage-lock.json
fileProblem
: This prevents the consuming service that is installing this library to automatically pick-up the latest security fixes based on the semvers defined in package.json and all child dependenciesnpm update
to pull in the latest library versionsDescribe alternatives you've considered
npm update
Additional context