Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove backport from optionalDependencies #2049

Closed
shinebayar-g opened this issue Dec 24, 2023 · 1 comment · Fixed by cdk8s-team/cdk8s-projen-common#847
Closed

Remove backport from optionalDependencies #2049

shinebayar-g opened this issue Dec 24, 2023 · 1 comment · Fixed by cdk8s-team/cdk8s-projen-common#847
Assignees
@iliapolo
Labels
bug Something isn't working effort/small 1 day tops ops Ops related issue priority/p1 Should be on near term plans

Comments

@shinebayar-g
Copy link
Contributor

Description of the bug:

Package called backport is defined in the optionalDependencies. If I'm understanding correctly packages defined in optionalDependencies is installed by default. Thus considered as a direct dependency and its dependencies are getting flagged in security vulnerability. (Like axios for example).

cdk8s-core/package.json

Lines 174 to 176 in bc6f483

"optionalDependencies": {
"backport": "8.5.0"
},

This is confirmed in npm as well.
image

image

I suggest we should move this to devDependencies.

Reproduction Steps:

Error Log:

Environment:

  • Framework Version:
  • OS:

Other:

This is 🐛 Bug Report
@shinebayar-g shinebayar-g added bug Something isn't working needs-triage Priority and effort undetermined yet labels Dec 24, 2023
@iliapolo
Copy link
Member

iliapolo commented Jun 1, 2024

Oh nice. We we should move it to devDependencies for sure. It used to be there, but it required a node version bump in all our workflows (because backport has higher node requirements than cdk8s) - but this makes it worth it.

Thanks!

@iliapolo iliapolo added effort/small 1 day tops priority/p1 Should be on near term plans ops Ops related issue and removed needs-triage Priority and effort undetermined yet labels Jun 1, 2024
@iliapolo iliapolo self-assigned this Jun 5, 2024
@iliapolo iliapolo mentioned this issue Jun 5, 2024
Merged
mergify bot pushed a commit to cdk8s-team/cdk8s-projen-common that referenced this issue Jun 5, 2024
@iliapolo
fix(backport): backport listed in optionalDependencies (#847)
8f022ba 
Fixes cdk8s-team/cdk8s-core#2049
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iliapolo iliapolo

Labels
bug Something isn't working effort/small 1 day tops ops Ops related issue priority/p1 Should be on near term plans
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(backport): backport listed in optionalDependencies cdk8s-team/cdk8s-projen-common
2 participants
@iliapolo @shinebayar-g