Cannot pass whitesource

[29Esther]

Expected Behavior

npm ls without errpr

Current Behavior

many errors

Steps to reproduce the issue

1. npm install
2. npm ls

Context

• UI5 Module Version (output of ui5 --version when using the CLI): 1.12.2
• Node.js Version: v13.5.0, v8.**, v6.** all have this issue
• npm Version: 6.13.4
• OS/Platform: macOS Catalina
• Browser (if relevant): N/A
• Other information: {...}

Affected components (if known)

• [ ] ui5-builder
• [ ] ui5-server
• [X] ui5-cli
• [ ] ui5-fs
• [ ] ui5-project
• [ ] ui5-logger

I tested. 'npm ls' is fine with ui5-server@1.1.1, so the problem is introduced by ui5-cli only.

Log Output / Stack Trace

npm ERR! extraneous: ava@2.4.0 /project/node_modules/@ui5/cli/node_modules/ava
npm ERR! extraneous: coveralls@3.0.9 /project/node_modules/@ui5/cli/node_modules/coveralls
npm ERR! extraneous: cross-env@6.0.3 /project/node_modules/@ui5/cli/node_modules/cross-env
npm ERR! extraneous: docdash@1.1.1 /project/node_modules/@ui5/cli/node_modules/docdash
npm ERR! extraneous: eslint@6.7.2 /project/node_modules/@ui5/cli/node_modules/eslint
npm ERR! extraneous: eslint-config-google@0.14.0 /project/node_modules/@ui5/cli/node_modules/eslint-config-google
npm ERR! extraneous: eslint-plugin-jsdoc@15.12.2 /project/node_modules/@ui5/cli/node_modules/eslint-plugin-jsdoc
npm ERR! extraneous: execa@3.4.0 /project/node_modules/@ui5/cli/node_modules/execa
npm ERR! extraneous: nyc@14.1.1 /project/node_modules/@ui5/cli/node_modules/nyc
npm ERR! extraneous: open-cli@5.0.0 /project/node_modules/@ui5/cli/node_modules/open-cli
npm ERR! extraneous: sinon@7.5.0 /project/node_modules/@ui5/cli/node_modules/sinon
npm ERR! extraneous: tap-nyan@1.1.0 /project/node_modules/@ui5/cli/node_modules/tap-nyan
npm ERR! extraneous: tap-xunit@2.4.1 /project/node_modules/@ui5/cli/node_modules/tap-xunit

This issue is very critical for SAP internal team as all the code needs to pass whitesource check.

[RandomByte]

Thanks for reporting! I suspect this to be an npm bug. All dependencies listed as in the error message are devDependencies and shouldn't be installed at all. This makes the "extraneous" error correct. Still I don't understand why they are installed in the first place.

I was able to reproduce this by executing npm install @ui5/cli in a new directory with nothing but an initial package.json. This installs 962 packages.

I observed that the generated package-lock.json lists the beforementioned devDependencies as non-dev dependencies. I then tried to execute npm install --no-package-lock @ui5/cli, which only installs 455 packages, correctly ignoring any devDependencies.

yarn install did not show this behavior.

I think this needs to be checked with the npm CLI team.

Anyways, I highly recommend you to use a package-lock.json in your project and to use npm ci in your CI environment.

[29Esther]

Hi @RandomByte , Thanks for your instants reply. I added a package-lock.json in our application. Then I can pass the npm ls now.