You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
lerna-audit reorders the properties in package.json files even when the --no-fix flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.
I think it should restore the original unchanged files if the user specifies --no-fix, or if no vulnerabilities were detected. What it actually does is re-save the file via arborist in all scenarios other than an error being thrown, which is where the reordering comes from.
There are a couple of scenarios in which package.json can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.
Ideally (in my opinion), lerna-audit would make minimal changes to package.json even when fixing vulnerabilities.This reordering seems a little unexpected.
There is a somewhat-related issue + PR about a new version of arborist: #25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.
I'm using lerna-audit 1.3.1.
The text was updated successfully, but these errors were encountered:
We removed arborist from the project. Nevertheless, reordering dependencies/properties is still a thing. Some work has to be done to consider property position while merging project internal depenencies to the audited package.json.
lerna-audit reorders the properties in
package.json
files even when the--no-fix
flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.I think it should restore the original unchanged files if the user specifies
--no-fix
, or if no vulnerabilities were detected. What it actually does is re-save the file viaarborist
in all scenarios other than an error being thrown, which is where the reordering comes from.There are a couple of scenarios in which
package.json
can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.Ideally (in my opinion), lerna-audit would make minimal changes to
package.json
even when fixing vulnerabilities.This reordering seems a little unexpected.There is a somewhat-related issue + PR about a new version of arborist: #25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.
I'm using lerna-audit 1.3.1.
The text was updated successfully, but these errors were encountered: