guardian / typerighter

Even if you’re the right typer, couldn’t hurt to use Typerighter!
Apache License 2.0
276 stars 12 forks source link

Update package lock. Possible merge issue resulting in missing references @emotion/hash@^0.9.0 which caused snyk failure #293

Closed phillipbarron closed 1 year ago

phillipbarron commented 1 year ago

The Snyk workflow runs against main so a PR to main can fail post merge - might be sensible to change this bahaviour so we can tell ahead of merge if there is an issue. This PR updates the Package-lock in the client package to resolve the Snyk issue

Edit - I have read through some of the Snyk docs and see that it's only possible to point at a single branch. That would work it we used a develop branch which we then merged in to main, on feature availability or periodically. That's a conversation for another time.

akash1810 commented 1 year ago

Could I suggest using npm ci over npm i to install dependencies during CI.

With npm ci, the build would fail if the package-lock.json is out of date/sync:

  • If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.

That is, using npm ci would eliminate the need for similar PRs in future.

yarn has a similar feature via the --frozen-lockfile flag.

phillipbarron commented 1 year ago

Could I suggest using npm ci over npm i to install dependencies during CI.

With npm ci, the build would fail if the package-lock.json is out of date/sync:

  • If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.

That is, using npm ci would eliminate the need for similar PRs in future.

yarn has a similar feature via the --frozen-lockfile flag.

Great idea, yep, cheers @akash1810