https://github.com/rollbar/rollbar.js/pull/1111 bumped request-ip in an attempt to resolve a security vulnerability in one of its packagess (is_js). request-ip no longer depends on is_js, but it was not removed from this lock file. Not an npm expert, not sure why.
I ran the following command to remove is_js from the lock file (it is not specified in the package.json and is not transitively referenced; so it should not be in the lock file)
npm uninstall --lockfile-version 1 --save is_js
Proof it is not reachable:
➜ rollbar.js git:(master) npm ls is_js
rollbar@2.26.2 /Users/john.plaisted/workspace/rollbar.js
└── (empty)
Type of change
[x] Bug fix (non-breaking change that fixes an issue)
[ ] New feature (non-breaking change that adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
Description of the change
https://github.com/rollbar/rollbar.js/pull/1111 bumped
request-ip
in an attempt to resolve a security vulnerability in one of its packagess (is_js
).request-ip
no longer depends onis_js
, but it was not removed from this lock file. Not an npm expert, not sure why.I ran the following command to remove
is_js
from the lock file (it is not specified in thepackage.json
and is not transitively referenced; so it should not be in the lock file)Proof it is not reachable:
Type of change
Related issues
https://github.com/rollbar/rollbar.js/pull/1111
Checklists
Development
Code review