search

data-umbrella / event-board-web

Event Board: front-end code
https://events.dataumbrella.org
GNU Affero General Public License v3.0
10 stars 13 forks source link

Contributing: how to interpret the npm warnings? #402

Closed reshamas closed 1 year ago

reshamas commented 1 year ago

How do we interpret these errors/warnings? Should we run the audit fix?

REF: https://github.com/data-umbrella/event-board-web/blob/main/CONTRIBUTING.md

npm install
my_repos/data-umbrella-projects/event-board-web  main ✗                                               13d ⚑  
▶ npm install
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'add-to-calendar-button@2.1.2',
npm WARN EBADENGINE   required: { node: '>=16.18.1', npm: '>=8.19.2' },
npm WARN EBADENGINE   current: { node: 'v18.4.0', npm: '8.12.1' }
npm WARN EBADENGINE }

up to date, audited 1721 packages in 7s

192 packages are looking for funding
  run `npm fund` for details

20 vulnerabilities (1 low, 5 moderate, 13 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
(base) 
my_repos/data-umbrella-projects/event-board-web  main ✗                                               13d ⚑  
▶
jtorreggiani commented 1 year ago

@reshamas, the first EBADENGINE error is because we had the local development environment pinned to a newer version of node than what is being used in production. In this case it didn't actually break the library. However, it is good practice to make sure the version match between dev and prod. I merged in a PR to pin to an older version of node https://github.com/data-umbrella/event-board-web/pull/408. You just need to do the following to resolve that error.

nvm install 16.20.0
nvm use

The second issue is a built in functionality of npm that is always checking for security vulnerabilities. I've open a PR to apply all the non-breaking changes from run npm audit --fix https://github.com/data-umbrella/event-board-web/pull/409. Any of the breaking changes we will have to look into individually.

jtorreggiani commented 1 year ago

We can also set up https://github.com/dependabot to automatically attempt to upgrade dependencies and open a PR for the upgrades.

jtorreggiani commented 1 year ago

I've added a section to the contributing guide about managing dependencies. Going to close this issue as we are burning down to the actionable tasks and follow up items. If there are more questions related to management dependencies we can open a new ticket / pull request.