search

intoli / user-agents

A JavaScript library for generating random user agents with data that's updated daily.
Other
983 stars 51 forks source link

You have been running npm publish with a polluted package.json, probably #43

Closed hypesystem closed 1 year ago

hypesystem commented 2 years ago

In this repo dot-json is not a dependency.

But on npmjs it is listed as such: image

If you install user-agents with npm install user-agents you will see inside its package.json that dot-json is present.

I would guess that whoever is running npm publish (probably it is run from circle-ci, as far as I can tell) has dot-json as a dependency. This means it is pushed to all users and downloaded when the package is used. (This isn't in itself so bad, but dot-json depends on a lib that pollutes the underscore package, which is potentially more problematic.)

The fix is installing dot-json with npm install dot-json --no-save in your circle-ci script.

(This might be because the default behavior of npm changed with npm@5 to imply --save.)

ath88 commented 2 years ago

Specifically this line: https://github.com/intoli/user-agents/blob/master/.circleci/config.yml#L84

Prior to publishing a few moments later, it will add dot-json as a dependency. Adding --no-save to the line will fix this.