Skip to content

Fix core/package-lock.json and add rebase script #4106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 10, 2022
Merged

Fix core/package-lock.json and add rebase script #4106

merged 3 commits into from
Jan 10, 2022

Conversation

@compulim
Copy link
Contributor

@compulim compulim commented Jan 7, 2022
edited
Loading

Fixes #4014. Fixes #4015.

Changelog Entry

  • Fixes #4104 and #4105. Fixed invalid entry in core/package-lock.json, removed playground/host, and added script to rebase URLs in package-lock.json, by @compulim, in PR #4106

Description

Fix core/package-lock.json so it is pointing to the correct package.

Also added a tool script to rebase resolve field from NPMJS to Azure Artifacts temporarily.

Design

We added a new tool, which can be used to modify any package-lock.json file. It will modify the resolve field, which usually points to https://registry.npmjs.org/, to an arbitrary URL provided via the CLI argument.

We have no plans to change our primary NPM registry. We will continue to use registry.npmjs.org. However, a new internal requirement requires us to use Azure Artifacts for packages when we build our project for publication. This will make sure all dependencies we used to build our final project can be controlled precisely.

Say, if a package become critically vulnerable, we can quickly reconfigure our Azure Artifacts to block the package and immediately prevent our build pipeline from emitting problematic code.

As a side effect, the tool will check if all the URLs in the package-lock.json are valid, such as:

Specific Changes

  • Updated core/package-lock.json
    • @babel/helper-split-export-declaration should use the correct tarball, not from @babel/helper-hoist-variable
  • Removed package/playground/host/
    • This package is not used, and not managed by lerna
    • package/playground is already a package, it should not contain another package
  • Added scripts/rebasePackageLock.mjs tool to rebase resolve field in package-lock.json
  • I have added tests and executed them locally
  • I have updated CHANGELOG.md
  • I have updated documentation

Review Checklist

This section is for contributors to review your work.

  • Accessibility reviewed (tab order, content readability, alt text, color contrast)
  • Browser and platform compatibilities reviewed
  • CSS styles reviewed (minimal rules, no z-index)
  • Documents reviewed (docs, samples, live demo)
  • Internationalization reviewed (strings, unit formatting)
  • package.json and package-lock.json reviewed
  • Security reviewed (no data URIs, check for nonce leak)
  • Tests reviewed (coverage, legitimacy)

@compulim compulim marked this pull request as ready for review January 7, 2022 19:27
@compulim compulim merged commit 252758f into microsoft:main Jan 10, 2022
@compulim compulim deleted the feat-rebase-script branch January 10, 2022 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdurnford tdurnford tdurnford approved these changes

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n a-b-r-o-w-n is a code owner

@beyackle beyackle Awaiting requested review from beyackle

@cwhitten cwhitten Awaiting requested review from cwhitten cwhitten is a code owner

@srinaath srinaath Awaiting requested review from srinaath srinaath is a code owner

@tonyanziano tonyanziano Awaiting requested review from tonyanziano

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@compulim @tdurnford