There is a vulnerability related to nth-check that I am trying to fix.
https://www.cve.org/CVERecord?id=CVE-2021-3803
It is coming from #rails/webpacker. Tried removing entry optimize-css-assets-webpack-plugin#^5.0.8 from yarn.lock and running yarn install again but no luck. It still installs 5.0.8 version.
yarn upgrade adds new entry in package.json for latest version of optimize-css-assets-webpack-plugin but looking at https://www.npmjs.com/package/#rails/webpacker?activeTab=dependencies rails/webpacker is consuming latest version of optimize-css-assets-webpack-plugin so I am not sure why its not picking up latest version.
Related
I need to update old dependencies because of security reasons in a project, that uses Yarn and I would like to know the best way to do this. I have used yarn add package-name#latest and yarn upgrade package-name#latest with the same result. The old version package definition remains. Is that acceptable? Since I have to update the old version for security, I think the old version should be removed. Is there a command that updates a package to a specific version and removes the old package definition?
The situation you are describing should only arise if you also have transitive dependencies that come from other dependencies.
So you may have another package that depends on acorn in a lower version.
If this is not the case I would try:
yarn upgrade package-name --latest
To update all packages to the latest versions, I recommend:
yarn upgrade-interactive --latest
At the top of my yarn.lock file I see:
__metadata:
version: 5
cacheKey: 8
I have no idea what the version or cacheKey is, and I haven't found any documentation for them on yarn's website. What are they?
It's simply the yarn.lock version, originally introduced here:
When upgraded, the lockfile entries have to be resolved again (but the specific versions are still pinned, no worry). Bump it when you change the fields within the Package type; no more no less.
More details on the currently implemented resolution logic:
github.com/yarnpkg/berry/blob/master/packages/yarnpkg-core/sources/Project.ts
Typical scenario
My lockfile version updated locally because my latest Homebrew Yarn version was running behind on 3.2.0-rc.10, despite running brew upgrade and yarn -v still showing this older version.
However a bot (might be team member) already upgraded Yarn to 3.2.0-rc.12, versioned / committed / locked remotely in .yarnrc.yml and npm.packageManager (example).
This is what we want for consistency, so we could add a package.json script to use it instead
// ...
"scripts": {
// ...
"setup": "yarn",
// ...
// ...
If frequently switching between classic, stable and canary - cd ~ && yarn set version <ver> may bump your local Yarn version too (then remember to clear generated files).
Problem
I was facing difficulty in importing one of the packages properly and using it in my MERN application in the backend. After researching and looking at the deployed code I got to know that my application is using the unwanted version of that package and thus it is causing the issue but I already changed the version in package.json before pushing. I have written unwanted here because in my case the new version of the package has bugs and that's why I want the old/previous version back but I am unable to know the exact reason or thing which is causing heroku to use the unwanted version again and again.
For Clarity:
initial version: 1.6.6 (was working fine)
then I installed version: 1.7.0 (found bugs) unwanted version
tried to go back to version: 1.6.6 but couldn't
What I have tried
The first thing I tried was setting NODE_MODULES_CACHE to false to avoid heroku from picking up old code as it has worked for me in the past. Apart from that I have I can't find any other thing.
There is nothing suspicious in the heroku logs and it builds the application without any error.
I found the solution to it if someone's looking for it. It is not much of a solution instead it's more about how heroku works.
Heroku uses npm ci instead of npm install.
npm ci installs all dependencies in respect to package-lock.json similar to npm install. The key difference here is that ci doesn't alter package-lock.json under any circumstances.
So basically, the package-lock.json was still the unwanted one in my case and heroku was installing that rather than what I pushed into package.json as it didn't matter.
So, in order to solve this issue you have two options:
You can push your updated package-lock.json. In my case I had intentionally not added package-lock.json to versioning as I thought heroku would update it so I had put it in .gitignore
You can set the USE_NPM_INSTALL environment variable to true to let Heroku know that you want to use npm install instead of npm ci to create the build environment. (NOTE: If you want to use npm install Heroku advises to use NODE_MODULES_CACHE=false as it speeds up the build time)
I went with option 1.
Link to Heroku docs: https://devcenter.heroku.com/articles/nodejs-support
Say I have a package.json file in an existing project. In there I have "some-package": "^1.0-01",, however I know that the latest version is 1.0-02
So I do yarn upgrade. However, package.json is not update, and still references the -01 version. The yarn.lock file however shows this:
some-package#^1.0-01:
version "1.0-02"
Is this expected behavior? When someone else does the yarn command, which version will they get. If they get the latest version, isn't it misleading to show -01 in package.json?
According to the documentation here,
yarn upgrade
This command updates all dependencies to their latest version based on
the version range specified in the package.json file. The yarn.lock
file will be recreated as well.
The tricky part is based on the version range specified in the package.json
This means that if your package.json has defined a particular semver like you've said, upgrade will only upgrade it according to the range defined there, i.e. ^1.0-01 should upgrade to 1.0-02 in both your package.json and yarn.lock files.
Now you've said that this is happening only in your yarn.lock file. Yarn provides a utility for checking for such clashes called check
Could you try running
yarn check
in your repository and tell us your findings?
So, I got a small site started in node.js (my first one) using Express. Pretty happy with it, until I tried to deploy to Heroku and found that I had 0.4.9 installed and they only support 0.4.7.
Is uninstalling 0.4.9 and installing 0.4.7 my only option, or is there a way to do a side-by-side on the two?
You can override the version of node.js and npm by customizing the Heroku build pack:
http://blog.superpat.com/2011/11/15/running-your-own-node-js-version-on-heroku/
Actually...you do not have to remove anything.
Just ensure you are using features of node compliant with node 0.4.7 and when you make your package.json which specifies your dependencies has the correct version number or range specified.
I had a similar issue where one of our developers made is packacge and set the dependency to node 0.4.8 however it didn't require this it was just what version he was using at the time, we ended up updating his package.json to list node 0.4.7 instead and then my package which depended on his deployed to heroku just fine.
It seems Heroku only supports 0.4.7 at the moment and even suggests to develop strictly on that version.
If you have to use heroku then you have to uninstall 0.4.9, install 0.4.7.
If you don't have to use heroku. You can always setup a VPS yourself, and you will have the freedom to install whatever version that pleases you. :D