Closed jstasiak closed 1 year ago
Thanks for the report, this is not intentional, I'm unpublishing the version, pending some review.
NPM is not allowing me to unpublish that version so I manually published 8.0.2
, no extraneous dependency.
We've been experimenting with CD via GH Actions and (without more info) I need to assume something weird is going on there. I'm disabling CD from the time being, until we can run a proper investigation.
Thanks again @jstasiak for the report, this was super useful and timely.
cc: @mrseanryan
btw, version 8.0.1
has been unpublished (npm
just takes a while to update on their side)
Still unclear where did this came from, but this is what I can see so far (as to assess impact):
$ docker run --rm -ti node:16.13.2-slim sh
# bash
root@9adfdad8e109:/# mkdir m4
root@9adfdad8e109:/# cd m4
root@9adfdad8e109:/m4# echo '{}' > package.json
root@9adfdad8e109:/m4# npm i 4
added 1 package, and audited 2 packages in 3s
found 0 vulnerabilities
npm notice
npm notice New major version of npm available! 8.1.2 -> 9.1.3
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.1.3
npm notice Run npm install -g npm@9.1.3 to update!
npm notice
root@9adfdad8e109:/m4# ls
node_modules package-lock.json package.json
root@9adfdad8e109:/m4# cat package-lock.json
{
"name": "m4",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"dependencies": {
"4": "^0.0.0"
}
},
"node_modules/4": {
"version": "0.0.0",
"resolved": "https://registry.npmjs.org/4/-/4-0.0.0.tgz",
"integrity": "sha512-JWaJnETbU+8EfG4hPw1PFwEHsd7Fjlp0oNRYUYynn8t54P0459HAUiu1jgOnvgOYMZH9YnhfT+bgqcazmbMF5Q=="
}
},
"dependencies": {
"4": {
"version": "0.0.0",
"resolved": "https://registry.npmjs.org/4/-/4-0.0.0.tgz",
"integrity": "sha512-JWaJnETbU+8EfG4hPw1PFwEHsd7Fjlp0oNRYUYynn8t54P0459HAUiu1jgOnvgOYMZH9YnhfT+bgqcazmbMF5Q=="
}
}
}
root@9adfdad8e109:/m4# cd node_modules/4/
root@9adfdad8e109:/m4/node_modules/4# ls
index.js package.json
root@9adfdad8e109:/m4/node_modules/4# cat index.js
root@9adfdad8e109:/m4/node_modules/4# cat package.json
{
"name": "4",
"version": "0.0.0",
"description": "WOOHOO! I GOT 4!",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
root@9adfdad8e109:/m4/node_modules/4#
Nice, thank you for reacting to this so quickly and for all the work on this library!
As to how this could've happened: I suspect a line like this was executed somewhere in the publishing pipeline at some point, just without --development
(?):
- run: npm install --development ${{ matrix.typescript-version }}
where typescript-version
is 3 or 4
I'm happy with the status quo so I'll close the issue. Once again thank you for resolving this
update:
1 - there was a bug in the workflows, where typescript@
was missing - so it was trying to install bogus package like 3 or 4 (!)
2 - the deploy workflow was using Node 16 which has a newer version of npm, that involves rewriting package-lock.json to version 2
fixed: 1 - typescript package is mentioned 2 - deploy uses Node 14 (at least until we agree to upgrade to package-lock.json, which may break for older projects... ?)
Hey!
I noticed that when we tried to upgrade
ts-unused-exports
from 8.0.0 to 8.0.1 a new dependency has been introduced there. The name of the dependency is4
and it's visible here: https://www.npmjs.com/package/ts-unused-exports/v/8.0.1?activeTab=dependencies. It wasn't there in 8.0.0: https://www.npmjs.com/package/ts-unused-exports/v/8.0.0?activeTab=dependenciesWhat got me worried is there's no reference to that dependency in
package.json
on GH (https://github.com/pzavolinsky/ts-unused-exports/blob/bad085c96317d30463433db1af2b55636f95fcb5/package.json) and the4
package (https://www.npmjs.com/package/4) just seems strange – very old, no readme, the version is 0.0.0 etc.Should the dependency on
4
actually be there or is this an error somewhere?