Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lerna-audit reorders package.json properties even with --no-fix and when there are no vulnerabilities #27

Open
alexmcmanus opened this issue Jun 29, 2021 · 1 comment
Assignees

Comments

@alexmcmanus
Copy link

lerna-audit reorders the properties in package.json files even when the --no-fix flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.

I think it should restore the original unchanged files if the user specifies --no-fix, or if no vulnerabilities were detected. What it actually does is re-save the file via arborist in all scenarios other than an error being thrown, which is where the reordering comes from.

There are a couple of scenarios in which package.json can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.

Ideally (in my opinion), lerna-audit would make minimal changes to package.json even when fixing vulnerabilities.This reordering seems a little unexpected.

There is a somewhat-related issue + PR about a new version of arborist: #25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.

I'm using lerna-audit 1.3.1.

@svettwer
Copy link
Collaborator

Hi 👋

We removed arborist from the project. Nevertheless, reordering dependencies/properties is still a thing. Some work has to be done to consider property position while merging project internal depenencies to the audited package.json.

@svettwer svettwer self-assigned this Dec 23, 2021
svettwer added a commit that referenced this issue Jan 3, 2022
svettwer added a commit that referenced this issue Jan 3, 2022
svettwer added a commit that referenced this issue Jan 3, 2022
svettwer added a commit that referenced this issue Jan 3, 2022
svettwer added a commit that referenced this issue Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants