Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

fix: drop npm dependency #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
antongolub wants to merge 1 commit into semantic-release:master
base: master
Choose a base branch
Loading
from antongolub-forks:drop-npm-dep

Conversation

Copy link
Contributor

@antongolub antongolub commented Dec 22, 2021
edited
Loading

closes #434
relates #270

alternative #445

#434 (comment)

Suggestion: remove npm dependency. I still believe that the plugin always invokes global npm, so this dependency is completely useless.

Have a look:

const result = execa(

npm is called via execa. It is just a wrapper for child_process.exec by default. cp uses $PATH to find util ref, and it knows absolutely nothing about node_modules/.bin/npm.

git clone ... && npm i
npm -v
6.14.13
node -e "console.log(require('execa').sync('npm', ['-v']).stdout)"
6.14.13
node -e "console.log(require('./node_modules/npm/package.json').version)"
7.24.2

if we want execa to call the plugins's own npm version, we should pass preferlocal option.

node -e "console.log(require('execa').sync('npm', ['-v'], {preferLocal: true}).stdout)"
7.24.2

the-spyke, eugene1g, shooit, and jjoshm reacted with thumbs up emoji
Copy link

the-spyke commented Dec 23, 2021
edited by hearts bot
Loading

Please merge this. If there's a necessity to have a specific npm, it could be done through the engines property.

@gr2m gr2m changed the title (削除) fix: drop useless npm dependency (削除ここまで) (追記) fix: drop npm dependency (追記ここまで) Jan 17, 2022
Copy link
Contributor Author

antongolub commented Jan 18, 2022
edited by hearts bot
Loading

Closed in favor of #445

Copy link
Contributor Author

antongolub commented Jan 18, 2022
edited by hearts bot
Loading

I've recognised that some package may bring its own npm version if needed. Reopened.
aisamu reacted with thumbs up emoji

Copy link

the-spyke commented Feb 14, 2022
edited by hearts bot
Loading

#445 Does not replace this. I don't want to see npm and it's tree in the lock file. If you don't want to drop it please make it a peerDependency

Copy link

schmidtk commented Jul 7, 2022

This dependency causes an unfortunate side effect in projects using npm workspaces, because the npm dependency from this package gets hoisted to the root node_modules. Scripts using npm run will then use the locally installed version of npm from this package instead of the global install.

I described the issue in further detail here:
npm/rfcs#287 (comment)

Is the dependency truly needed in this package, or can it be either removed or made a peer dependency? Thanks for you time.

Copy link
Member

travi commented Jul 7, 2022

can it be either removed or made a peer dependency?

our recommendation is to execute semantic-release using npx so that semantic-release is only installed at execution time and not defined in your package.json or your lockfile. this will limit the impact of npm being installed as a dependency as well

This dependency causes an unfortunate side effect in projects using npm workspaces

this project does not officially support use in monorepos, so impacts to workspaces are officially out of scope. what additional tooling are you using in your project to enable use within a monorepo?

Copy link

our recommendation is to execute semantic-release using npx so that semantic-release is only installed at execution time and not defined in your package.json or your lockfile.

I don't want to use npx so everything is stable and hash-verified without hacking around npm caches on CI.
theoludwig reacted with thumbs up emoji

Copy link
Member

travi commented Jul 7, 2022

I don't want to use npx so everything is stable and hash-verified without hacking around npm caches on CI.

you are welcome to make that choice, but that means living with the current trade-offs. we are not ready to make a decision on this change, but are considering the impacts. in the meantime, those are the available options.

Copy link

schmidtk commented Jul 7, 2022

our recommendation is to execute semantic-release using npx so that semantic-release is only installed at execution time and not defined in your package.json or your lockfile. this will limit the impact of npm being installed as a dependency as well

I'll look into the global install route to avoid bloating our package lock, though we prefer the local installation for the same reasons @the-spyke identified.

this project does not officially support use in monorepos, so impacts to workspaces are officially out of scope. what additional tooling are you using in your project to enable use within a monorepo?

We wrote a simple script that gathers workspace projects with semantic-release configured and runs npm run semantic-release --workspace=<project> on each of them.

Copy link

jcnix commented Feb 14, 2024
edited
Loading

I'm going to bump this because there is a CVE right now affecting npm so anyone who uses this package which pulls in npm and its tree get a High severity vulnerability tagged to them. npm bundles their dependencies so their is currently no solution other than waiting for an npm update, you cannot override the offending package via npm audit fix

GHSA-78xj-cgh5-2h22

Copy link
Member

gr2m commented Feb 14, 2024

regarding the CVE, see our recommendation above:
#444 (comment)

ljharb reacted with thumbs up emoji

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm audit - moderate vulnerabilities in deep json-schema dependency

AltStyle によって変換されたページ (->オリジナル) /