Consider a package with running versions:
1.0.0
1.0.1
1.0.2
given the semver policy ~1.0.0 - we'll get the latest patch - and life is great.
Now consider that version 1.0.3 has landed and is an offending version, so we expect 1.0.4 to correct the offense.
I don't want to wait for the authors to depricate 1.0.3, and it's anyway on my builder cache. I hope to handle this using the semver policy.
Is there a way I can phrase my semver policy to exclude that offending version, so that until a fix is released I'll get 1.0.2, and after its released I'll get 1.0.4?
And - if 1.0.4 is also offending, what will be the way to exclude both 1.0.3 and 1.0.4 so I'll get 1.0.5 as soon as it's published?
Thanks
Ah.. found it. I was looking in the wrong place for that...
The way to do that is:
"dependencies": {
"the-package" : "~1.0.0 < 1.0.3 || ~1.0.4",
and if 1.0.4 is found offensive, then
"the-package" : "~1.0 < 1.0.3 || ~1.0.5",
It works with ^ as well, if you like, not just ~.
I expected to find it on the https://semver.org site, but the examples are found with an interactive playground here:
https://semver.npmjs.com/#syntax-examples
Related
I am upgrading from 0.9.6.RC4 to 1.0.1 version or higher
I have below script in config.js
karate.configure("ssl", {keystore :'classpath:api/FeatureFiles/UAT.jks,keyStorePassword:'test',keyStoreType:'jks'})
This isn't getting picked and always return path cannot be found. I tried changing "classpath:" to "file:" also as I saw in some previous issues related to this in github.
How can I solve this?
My repo in github show the following alert :
Dependabot cannot update ssri to a non-vulnerable version. The latest possible version that can be installed is 6.0.1 because of the following conflicting dependencies:
terser-webpack-plugin#2.3.8 requires ssri#^7.0.0 via cacache#13.0.1
webpack#4.46.0 requires ssri#^6.0.1 via a transitive dependency on
cacache#12.0.4
The earliest fixed version is 8.0.1.
As far as I known, I should update the root package (which is terser-webpack-plugin) in package.json to a newer version, but how to determine the minimum version that can support the non-vulnerable version of the dependency (in this case ssri 8.0.1) since I don't want to update to a too high version and risk breaking things. I am thinking of manually checking through all the release version of terser-webpack-plugin, but it's very tedious and seem wrong to check like that. Any suggestions ?
To speed up the process and save installing each version and its associated dependency tree, we can use npm-remote-ls (https://stackoverflow.com/a/26005786/2815338)
Firstly get the list of available versions:
> npm view terser-webpack-plugin versions
[
'1.0.0', '1.0.1', '1.0.2', '1.1.0', '1.2.0',
...
Then run npm-remote-ls for each version after your current one and filter on the relevant dependency, e.g.
> npm-remote-ls terser-webpack-plugin#3.0.0 | grep ' ssri#'
??? ?????? ssri#8.0.1
??? ??? ??? ?????? ssri#6.0.2
In this case terser-webpack-plugin#5.0.0 is the first with only fixed versions of ssri (8.0.1), and 5.1.0 appears to not include ssri at all, presumably due to webpack no longer depending on cacache.
N.B. the question marks appear to be due to encoding of characters that npm-remote-ls uses to display a tree structure. You could also use Select-String in PowerShell, but this appears to show different (incorrect) characters instead.
I've recently upgraded to Protractor 5.1.1 and am facing some issues when setting cookies via browser.manage().addCookie()
The API has changed between versions 2 and 3 of Selenium-webdriver to expect an object rather than the previous 2..6 arguments. When I make the changes to my code to use the object, the typescript compiler complains saying that it expects 2..6 arguments.
old api:
browser.manage().addCookie('cookieName', 'cookieVal');
new api:
browser.manage().addCookie({name:'cookieName', value: 'cookieVal'});
I think this is because the #types/selenium-webdriver in the package.json of protractor v5.1.1 is pointing at version 2.53.39. The version of the actual selenium-webdriver the same package.json is referencing is 3.0.1.
Should this be the same value? Is anyone else experiencing problems with this?
Yup, this is happening because the type definitions was not written at the time.
workaround
Here is the workaround for now:
(browser.manage() as any).addCookie({name:'cookieName', value: 'cookieVal'});
We are setting browser.manage returned options object to any. Then we can give it the addCookie method.
OR
upgrade definitions
you could upgrade your #types/selenium-webdriver type definitions to version 3.
I'm having the same problem! I do know that the #types/selenium-driver is now updated to version 3.0.0.
I haven't had luck with this, but you could try installing it directly (i.e. npm install --save-dev #types/selenium-webdriver) and adding it to your list of types in your tsconfig.json file (i.e. types: [ "selenium-webdriver" ].
We had been using version 0.11.0 of angular-bootstrap from npmjs. It appears that version is no longer available on npmjs. From the commands below does this mean that someone actually unpublished the older packages?
prompt:~$ npm view angular-bootstrap time
{ modified: '2015-01-12T06:48:54.881Z',
created: '2014-01-29T21:54:32.213Z',
'0.0.1': '2014-01-29T21:54:37.589Z',
'0.0.2': '2014-01-29T22:03:08.814Z',
'0.0.3': '2014-01-29T22:51:49.998Z',
'0.0.4': '2014-02-11T15:14:17.078Z',
'0.11.0': '2014-06-24T07:06:56.435Z',
'0.13.0-SNAPSHOT': '2014-12-02T13:05:43.151Z',
'0.12.0': '2015-01-12T06:46:41.986Z' }
prompt:~$ npm view angular-bootstrap versions
0.12.0
I agree, the package seems to have been unpublished. You can still access it from the github history, as follows:
$ npm install "angular-ui/bootstrap#0.11.0"
(note that you may not need quoting, but some shells will interpret the # as a comment-begin character.) You can also use this syntax in dependencies inside package.json
If you have a project in production that depends on this, you should probably make a fork of the angular-ui/bootstrap repository and point towards that.
(I had some difficulty making this work on Windows, but it looks like you're on a Unixy system, so you should be fine.)
Ticket discussing this and the future is at https://github.com/angular-ui/bootstrap/issues/1636
Say I have two repos: repoa and repob. I installed a package 3.1 ver from repoa. I have a newer version 3.2 in repob.
How could I upgrade the package from repob? I tried to yum upgrade, but looks it always stick to the original repo - repoa, and didn't look at the package in repob at all. I can use 'yum provides' to get the package information from two repose, but only repoa looks recognised.
I tried several things such as change the priority higher for repob, temporarily remove the repoa, but none of them working.
I guess I need to remove it then do reinstallation from repob.