Fix npm audit warnings in NPM package#6437
Conversation
| ./scripts/format.sh && ./scripts/error_on_dirty.sh | ||
| node ./scripts/validate_changelog.js | ||
| npm run docs && ./scripts/error_on_dirty.sh | ||
| npm audit --production |
There was a problem hiding this comment.
Will alert if we start having this problem again. Unfortunately it can be quite unexpected: e.g. if vulnerability will be found in version of @mapbox/node-pre-gyp we use and NPM will start reporting it.
There was a problem hiding this comment.
--production means "audit only non-dev dependencies". Our dev dependencies have a lot of problems at the moment and it is quite difficult to fix(that's why the fix is to just move problematic dependencies from non-dev to dev)
| "private": false, | ||
| "description": "The Open Source Routing Machine is a high performance routing engine written in C++14 designed to run on OpenStreetMap data.", | ||
| "dependencies": { | ||
| "@mapbox/node-pre-gyp": "^1.0.9", |
There was a problem hiding this comment.
cheap-ruler, mkdirp and rimraf are used in tests only
nan and node-cmake are needed to only build binary and not needed to use package after it
There was a problem hiding this comment.
Tbh it would be great to somehow check that package will 100% work without them on some clean test project(even though I am 99% confident that it will work :) ), but not sure how to properly do that.
| "node-cmake": "^2.5.1", | ||
| "rimraf": "^2.7.1" | ||
| }, | ||
| "bundleDependencies": [ |
There was a problem hiding this comment.
Not sure why we needed it, but it seems there is no need in it too https://docs.npmjs.com/cli/v8/configuring-npm/package-json#bundledependencies
2 participants
Issue
At the moment if I run
npm auditin project with installed@project-osrm/osrmit complains about a couple of warnings coming from our package:The reason of this is dependencies we have in package which actually can be made dev-dependencies as they are only needed for build/test purposes.
Tasklist
Requirements / Relations
Link any requirements here. Other pull requests this PR is based on?