nested dependencies resolution for yarn not showing up in yarn.lockfile - npm

I am using resolutions to resolve a vulnerability coming from a nested dependency (#dep/xyz). The nested dependency is using axios 0.21.1 whichhas a vulnerability. I am supposed to upgrade to any compatible version above it.
When I added it to resolutions like below I don't see the update in yarn.lock file for the nested dependency. Please advise.
Below is my package.json file
package.json
{
"name" : "xyz",
dependencies: {
"#dep/xyz" : "2.3.4",
"axios": "^0.21.2"
},
"resolutions": {
"**/**/axios": "^0.21.2"
}
}
yarn.lock which gets created after yarn install of above
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
axios#^0.21.1, axios#^0.21.2:
version "0.21.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
follow-redirects "^1.14.0"
"#dep/xyz#2.3.4":
version "2.3.4"
resolved "https:..."
integrity sha1-123...=
dependencies:
"#x/d1" "0.2.2"
"#y/d2" "0.9.2"
axios "^0.21.1"

You likely need to upgrade yarn. resolutions does not work with dependencies that have / in their name for yarn versions below 2. See https://github.com/yarnpkg/yarn/issues/4874

For starters, you don't need to do any resolution pinning. #dep/xyz#2.3.4 is pulling in axios with semver specification of "^0.21.1". In this context it will accept any version that is both >=0.21.1 and <0.22.0. You need only to use yarn to update the version of axios being resolved. I would advise AGAINST resolution pinning when you don't need to, because that can cause long-term incompatibility. If in the future axios has version >=0.22.0 that you or your dependencies are trying to consume, your resolution setting will force those down to be something within the range >=0.21.2 && <0.22.0.
More directly to your question - I don't see anything that looks wrong. The lockfile is doing exactly what I would expect. Your resolution of "axios#^0.21.2" is being respected, as it's pulling in 0.21.4 which abides by that (even though like I said a resolution is not necessary to achieve that). You haven't done any kind of resolution pinning associated with #dep/xyz (nor should you) so nothing is changed there.

Related

What means this Vue devtools version hint?

My Vue devtools show this version hint:
I don't understand from where the version number 3.2.28 is coming though or to what exactly it refers to - my vue version is 3.2.25.
Can't see much more than what you provided in the image, but I think a reasonable guess is that you are using something like this:
"dependencies": {
"vue": "^3.2.25"
},
If that's the case, the install script will get the latest patch version, which would be 3.2.28 at the time of install, and 3.2.29 at the time of screenshot. This will also update the npm (or yarn) package which will make it re-install 3.2.28 even when 3.2.29
if you want to lock it, remove the ^ character, if you want to understand better why and how this is happening look into the Using semantic versioning to specify update types your package can accept documentation

found 1 high severity vulnerability (react-native-svg)

I'm trying to create a SVG component.
I have this problem after run command "npm i".
I think versions between packages aren't compatible.
How to fix this or create SVG component without react-native-svg package?
Thank a lot.enter image description here
Add the following to package.json:
{
// scripts, dependencies, etc.
"resolutions": {
"css-what": "5.0.1"
},
}
Remove lock file. Install the packages. Check if the app is still working. If works then keep the configuration (and ignore the warnings) else revert it.
Since you are using npm, you may wanna first refer this thread: npm equivalent of yarn resolutions?

Testcafe won’t run with Yarn 2

Testcafe 1.10 doesn’t seem to run via Yarn 2, while it just works running the globally installed one manually. I get this output:
ERROR Error: testcafe-legacy-api tried to access read-file-relative, but it isn't declared in its dependencies; this makes the require call ambiguous and unsound.
Required package: read-file-relative (via "read-file-relative")
Required by: testcafe-legacy-api#npm:4.0.0 (via /data/Fichiers/Code/testcafe/.yarn/cache/testcafe-legacy-api-npm-4.0.0-ff97b69c8c-e4a891ec41.zip/node_modules/testcafe-legacy-api/lib/)
I can see that read-file-relative is listed as a dependency of testcafe, but not as a dependency of testcafe-legacy-api (https://yarnpkg.com/package/testcafe, https://yarnpkg.com/package/testcafe-legacy-api), which itself is a dependency of testcafe.
EDIT : PRs on both sides have been merged so it should work now or soon without using the workaround below.
Apparently testcafe and its dependency testcafe-legacy-api have several actual dependencies that are not listed in their dependencies listing.
As the documentation for .yarnrc.yml explains:
Some packages may have been specified incorrectly with regard to their dependencies - for example with one dependency being missing, causing Yarn to refuse it the access. The packageExtensions fields offer a way to extend the existing package definitions with additional information.
Adding this to my .yarnrc.yml and then running yarn install (or yarn) fixed it:
packageExtensions:
"testcafe#*":
dependencies:
"#babel/runtime": "*"
"#babel/plugin-transform-for-of": "*"
"testcafe-legacy-api#*":
dependencies:
"read-file-relative": "*"
"testcafe-hammerhead": "*"

ES6 import and npm packages

Anyone got a link to documentation explaining exactly how ES6 import is supposed to work with npm packages (as opposed to javascript module files) ?
Also (and possibly related) a link to documentation on the use/significance of "module" as a top-level key in an npm package.json file ?
Eg. consider the following from juggle/resize-observer ;
package.json
{
...
"module": "lib/exports/resize-observer.js",
...
}
consumer javascript file
import { ResizeObserver } from '#juggle/resize-observer';
On the above import Chrome sends a request to the server for '#juggle/resize-observer' which is a directory..... so what happens next ? (I don't have a working instance of this and my server doesn't return anything yet as I don't know what it's supposed to / in what format ). Is this syntax only for use with some sort of build tool where it ultimately gets replaced with the actual file ?
I have looked at the npm site/googled and cannot find any relevant documentation.
UPDATE Still waiting for a link to relevant documentation (no relevant Google results at this time) but for anyone asking the same question: apparently you need your server to do "module resolution" . Alternatively you can use Snowpack or a bundler eg. Webpack.
Apparently npm/node packages are not packaged with browsers in mind or based on any W3C/Web Modules standard specification.
See here for module resolution info.
So at present to use an npm package in a browser you must do one of the following
use a bundler like webpack
use snowpack
use a CDN which resolves the module request
implement npm module resolution in your own server
Find the package entry point and use that in your ES6 import statement.
However, if the package's json "main" property changes in a subsequent update you
will need to update your code to reflect this.

Publishing #progress/kendo-ui to nexus 3..5.1 npm pkg repository

We've migrated from Nexus 3.01.01 to 3.5.1-02. In the process we had to migrate internally published npms. One of those is the kendo-ui (commercial one) from Telerik/Progress. We have downloaded the licensed copy from Telerik and publishing it to our local nexus for consumption by our developers.
However the publishing fails with an error during payload parsing. I can publish the same tar without an issue to the older (3.01.01) nexus, so the tar/payload it self is OK.
The error seem to be at the point of trying to parse the npm payload. I can also publish a demo/simple npm (both scoped and non-scoped) without an issue. Spend the whole day trying to figure this out with no luck - appreciate any pointers or advice.
2017-09-06 18:49:09,160+0800 WARN [qtp762281666-4116] MIDALLE
org.sonatype.nexus.repository.httpbridge.internal.ViewServlet -
Failure servicing: PUT /repository/npm-hosted/#progress%2fkendo-ui
java.lang.IllegalStateException: Unexpected token VALUE_NULL at
[Source: java.io.InputStreamReader#1ebad5c7; line: 1, column: 896] at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parseValue(NpmPublishParser.java:150)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parseObject(NpmPublishParser.java:174)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parseValue(NpmPublishParser.java:136)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parseObject(NpmPublishParser.java:174)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parseValue(NpmPublishParser.java:136)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parsePackageRoot(NpmPublishParser.java:123)
at
com.sonatype.nexus.repository.npm.internal.NpmPublishParser.parse(NpmPublishParser.java:98)
at
com.sonatype.nexus.repository.npm.internal.NpmRequestParser.parseNpmPublish(NpmRequestParser.java:81)
at
com.sonatype.nexus.repository.npm.internal.NpmRequestParser.parsePublish(NpmRequestParser.java:60)
at
com.sonatype.nexus.repository.npm.internal.NpmHostedFacetImpl.putPackage(NpmHostedFacetImpl.java:85)
at
com.sonatype.nexus.repository.npm.internal.NpmHandlers$3.handle(NpmHandlers.java:172)
at
org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
Here's the gist for the full error from the nexus log.
This issue was resolved in scope of https://issues.sonatype.org/browse/NEXUS-14385
Fix Version/s:
3.6.1
There was a problem with parsing null values in package.json
I got this to work however I'm still trying to figure out the impact of the change. Please be cautious if you apply the same 'hack' to get this to work. I had to do this, because there was several other project teams that was getting affected.
In a nutshell I had to strip out few keys from the package.json of the kendo-ui package. My analysis is that these settings makes npm issue a network call that fails in our constraint environment.
The package.json keys that I removed are as follows.
First section
"_resolved": "https://registry.npm.telerik.com/#progress%2fkendo-ui/-/kendo-ui-2017.2.621.tgz",
"_shasum": "09a652ead21700716dd5a50f9e86e9bffcea640e",
"_shrinkwrap": null,
Second section
"dist": {
"shasum": "09a652ead21700716dd5a50f9e86e9bffcea640e",
"tarball": "http://registry.npm.telerik.com/#progress%2fkendo-ui/-/kendo-ui-2017.2.621.tgz"
},
I'd really appreciate if someone who know more about npm and npm definitions can inform the purpose of these settings in the package.json and potential impacts of removing them.