Skip to content

npm: update dependencies #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 11, 2022
Merged

npm: update dependencies #21

merged 9 commits into from
Feb 11, 2022

Conversation

Totktonada
Copy link
Member

@Totktonada Totktonada commented Feb 10, 2022
edited
Loading

I think it is good time to perform some maintenance activities. I plan to propose several changes and it is good to renew obsolete things before start.

Changes in short:

  • Applied updates enforced by npm v7+ and TypeScript 4.4+.
  • Updated ncc (upstream is changed), node-fetch (security) and run npm update.
  • Added a short contributor guide.
  • Dropped Ubuntu Xenial (16.04) from CI.

Full list of changes:

  • npm: regenerate package-lock.json for npm v7+
  • npm/security: update node-fetch (2.6.1 -> 2.6.7)
  • npm: update @zeit/ncc@0.22.3 to @vercel/ncc@0.33.1
  • npm: update dependencies to latest compatible ones
  • build: validate that an error is of type Error
  • build: regenerate index.js
  • doc: add hints for contributors
  • gitignore: add Vim Swap files
  • ci: drop ubuntu-16.04

Consider commit messages for details.

@Totktonada
npm: regenerate package-lock.json for npm v7+
19356f8 
I had intention to install locked dependencies and called `npm install`
in the project directory first time. Surprisingly, it updates my
`package-lock.json` with `lockfileVersion: 2` (was 1) and the new
`packages` field.

The documentation [1] says that it is the new lock file format for npm
v7+, which is compatible with npm v6. Okay, let's move to the new
format.

FWIW, my versions are the following:

| Package | Version |
| ------- | ------- |
| nodejs  | 16.13.1 |
| npm     | 8.1.2   |

[1]: https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json
@Totktonada
npm/security: update node-fetch (2.6.1 -> 2.6.7)
9f0f0d9 
`npm audit` says the following:

 | node-fetch  <2.6.7
 | Severity: high
 | node-fetch is vulnerable to Exposure of Sensitive Information to an
 | Unauthorized Actor - GHSA-r683-j2x4-v87g

Why not to update? I called `npm audit fix`, which updates the
`package-lock.json` file.
@Totktonada
npm: update @zeit/ncc@0.22.3 to @vercel/ncc@0.33.1
214ae73 
`npm install` says:

 | npm WARN deprecated @zeit/ncc@0.22.3: @zeit/ncc is no longer
 | maintained. Please use @vercel/ncc instead.

Okay, why not? Updated.
@Totktonada
npm: update dependencies to latest compatible ones
b199c43 
Called `npm update` and committed the resulting `package-lock.json`
file.

There were no updates in the repository for several months and I think
it is good time to perform some maintenance activities. Updating
dependencies to latest compatible ones should be the right action at
this point.
@Totktonada
build: validate that an error is of type Error
c39ebcc 
`npm run pre-checkin` (more precisely `tsc`) says the following:

 | src/main.ts:178:20 - error TS2571: Object is of type 'unknown'.
 |
 | 178       core.warning(error.message)
 |                        ~~~~~
 |
 | src/main.ts:184:20 - error TS2571: Object is of type 'unknown'.
 |
 | 184     core.setFailed(error.message)
 |                        ~~~~~
 |
 |
 | Found 2 errors.

In the previous commit I called `npm update` and it updates TypeScript
from 4.1.2 to 4.5.5. Since 4.4 it requires to explicitly check that a
raised error is of type Error, when the strict mode is enabled (see
[1]). We have the strict mode enabled in `tsconfig.json`.

I also found that TypeScript 4.0 allows to mark a raised object as
`unknown` explicitly (see [2]) and I considered it as the recommendation
to apply.

The similar change was applied in the TypeScript Action template (see
[3]).

[1]: https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-4.html#using-unknown-in-catch-variables
[2]: https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-0.html#unknown-on-catch-clause-bindings
[3]: actions/typescript-action#376
@Totktonada
build: regenerate index.js
320bb3f 
In previous commits I applied several maintenance changes: updated
dependencies versions, fixed the source for TypeScript 4.4 and above.

Now it is time to regenerate the resulting JavaScript file. I called
`npm run pre-checkin` and committed the resulting `dist/main/index.js`
file.
@Totktonada
doc: add hints for contributors
936712a 
Described how to setup necessary environment and regenerate the
resulting `index.js` file to ease a pathway of a first time contributor
like me.
@Totktonada
gitignore: add Vim Swap files
fbbee14 
Make working on the project more engaging for ones who (like me) using
Vim.
@Totktonada
Copy link
Member Author

@rosik, please, take a look if time permits.

Totktonada added a commit that referenced this pull request Feb 10, 2022
@Totktonada
WIP: feature: acquire exact tarantool version
679ae6b 
Sometimes we want to test a module against specific tarantool version,
not a latest in the series. For example, 2.6 series may have 2.6.1,
2.6.2 and 2.6.3 releases and we want to setup 2.6.1.

TBD: Rebase after PR #21.

TBD: Add a test.

Fixes #15
@Totktonada Totktonada mentioned this pull request Feb 10, 2022
Merged
@Totktonada
Copy link
Member Author

Yaroslav said: 👍.

@Totktonada Totktonada merged commit 966c6c1 into master Feb 11, 2022
@Totktonada Totktonada deleted the Totktonada/update-dependencies branch February 11, 2022 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Totktonada