Searched hist:f000468d (Results 1 – 2 of 2) sorted by relevance
| /openbmc/phosphor-webui/ |
| H A D | package-lock.json | f000468d Tue Jul 23 17:38:32 CDT 2019 Gunnar Mills <gmills@us.ibm.com> Use npm-check-updates and npm audit fix
Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix
This is a npm 6 package-lock.json.
Recommend using npm 6 from here out to avoid churn in the
package-lock.json caused by npm 5 vs npm 6.
Before:
found 24 high severity vulnerabilities in 12251 scanned packages
run `npm audit fix` to fix 24 of them.
After:
found 0 vulnerabilities
in 12251 scanned packages
npm 6 was released a year and half ago and has "security is built in".
npm 6/5.10 moved package-lock.json from exact versions to loosly versions.
tilde and caret are now present in the package-lock.json
The previous commits helps a little by "specific version in
package.json guarantees the version only a the top level commit"
Even though package-lock.json has tilde and carets (scary!), the
package-lock.json still lock sub-dependencies according to npm.
https://github.com/npm/npm/issues/20434#issuecomment-395637874
OpenBMC uses nodejs_10.15.3 which has npm 6.4.1.
https://github.com/openbmc/openbmc/blob/master/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_10.15.3.bb
https://nodejs.org/en/download/releases/
Also see:
https://github.com/npm/npm/issues/20891
Resolves openbmc/phosphor-webui#91
Tested: Built image and loaded on Witherspoon
Change-Id: I436be724ac4b27bb00a4b4c20077ddf981c43c9f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|
| H A D | package.json | f000468d Tue Jul 23 17:38:32 CDT 2019 Gunnar Mills <gmills@us.ibm.com> Use npm-check-updates and npm audit fix
Upgraded npm to 6.10.2, which includes npm audit.
Installed npm-check-updates and then ran:
ncu -u; npm audit fix
This is a npm 6 package-lock.json.
Recommend using npm 6 from here out to avoid churn in the
package-lock.json caused by npm 5 vs npm 6.
Before:
found 24 high severity vulnerabilities in 12251 scanned packages
run `npm audit fix` to fix 24 of them.
After:
found 0 vulnerabilities
in 12251 scanned packages
npm 6 was released a year and half ago and has "security is built in".
npm 6/5.10 moved package-lock.json from exact versions to loosly versions.
tilde and caret are now present in the package-lock.json
The previous commits helps a little by "specific version in
package.json guarantees the version only a the top level commit"
Even though package-lock.json has tilde and carets (scary!), the
package-lock.json still lock sub-dependencies according to npm.
https://github.com/npm/npm/issues/20434#issuecomment-395637874
OpenBMC uses nodejs_10.15.3 which has npm 6.4.1.
https://github.com/openbmc/openbmc/blob/master/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_10.15.3.bb
https://nodejs.org/en/download/releases/
Also see:
https://github.com/npm/npm/issues/20891
Resolves openbmc/phosphor-webui#91
Tested: Built image and loaded on Witherspoon
Change-Id: I436be724ac4b27bb00a4b4c20077ddf981c43c9f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
|