chore(deps): lock file maintenance

semantic-release / error

:boom: :speech_balloon: errors but with error code

MIT License

10 stars 8 forks source link

chore(deps): lock file maintenance #255

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

gr2m commented 1 year ago

see https://github.com/bcoe/c8/issues/478 and https://github.com/istanbuljs/istanbuljs/issues/725. All listed packages seem to be unaffected. Not sure if we can set exceptions so we don't get blocked by it? Or if that's even a good idea to do

renovate[bot] commented 1 year ago

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

travi commented 1 year ago

All listed packages seem to be unaffected. Not sure if we can set exceptions so we don't get blocked by it? Or if that's even a good idea to do

hmm, this failure isnt even the intent of that npm audit signatures check. the goal is to verify signatures and provenance, not check for vulnerabilities. in older versions of npm, the signatures sub command didnt exist and unknown subcommands are ignored by the npm cli. i think that is likely what is going on here, i bet it doesnt recognize signatures and is falling back to a simple npm audit

travi commented 1 year ago

confirmed. looks like node v18.0.0 includes v8.6.0 of the npm cli, but the audit signatures command was added to the npm cli in v18.14.0.

rather than running this command in all versions of our verification matrix, we could run it in the job that runs against lts/*. looks like we already do that in other repos.

travi commented 1 year ago

rather than running this command in all versions of our verification matrix, we could run it in the job that runs against lts/*. looks like we already do that in other repos.

updated in 272c67e