Closed ghost closed 5 years ago
Is there a mechanism to sidestep cli? I'm going to remove it from global installation and attempt without.
https://github.com/Polymer/tools/pull/533
Seems it was closed as unworthy of potentially version changing and breaking a release schedule. Does that mean this and all down stream uses are broken until a major version bump? Closing issue since it doesn't seem there is much conversation to be had if thats the case. I appreciate the deeper inspection of the actual risks.
For a while lodash was only a "low" vulnerability but since yesterday (Feb 13) it's "moderate" (https://nodesecurity.io/advisories/782). We don't use lodash in this repo, but it's included in polymer-cli which we use for building, serving, and testing. The testing component of polymer-cli (web-component-tester) requires lodash 3 for backwards compatibility.
Conceptually it would be possible to replace the build step with scripts using polymer-build
, serving with polyserve
, and testing with some other test runner/launcher/aggregator. That's something I would likely look into in the future. Alternatively, if you really need to pass npm audit
, you could consider using webpa or rollup (links to respective branches) for building and serving instead (the testing piece is still missing).
A year on... is there an update on the status of this that I missed?
My understanding is the current PSK examples are not being actively developed in favor of Open-WC.
IIRC, the majority of these problems are at the devDependency level and are caused by the old polymer-cli.
If you use es-dev-server, or just manage your lit projects with Open-WC to manage your projects you'll be better off.
All that aside, the PSKs should be updated or archived, or at least documented better. It sends the wrong message to new users and muddies the waters between the older Polymer 3 project and the vastly improved lit-html and lit-element.
I understand the purpose behind building these hybrid app examples, which was to show how to take existing Polymer apps and methodically, if necessary slowly, convert those P3 apps into Lit apps. But it's not intuitive for new users who often don't understand that Polymer 3 is not required nor recommended for new Lit apps. Let's not confuse those folks at the starting gate.
I'm setting my first instance of a Polymer SPA and wanted to also checkin to see if things are still lively in this camp.
I suppose the appropriate target of this information would be polymer-cli and I'll check in there aswell for status but I do wonder if this is simply a bit behind on an update.