-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(TWILIGHT-2544): add pnpm lock file and update package manager to pnpm #468
base: master
Are you sure you want to change the base?
Conversation
@@ -8,6 +8,7 @@ | |||
"url": "git+https://github.com/SallaApp/theme-raed.git" | |||
}, | |||
"scripts": { | |||
"preinstall": "npx only-allow pnpm", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Codacy found a critical Error Prone issue: You have a misspelled word: npx on String
The issue identified by ESLint is a potential misspelling of the word "npx" in the preinstall
script. However, "npx" is a legitimate command used to execute npm packages, so the error might be a false positive. Nevertheless, if we assume ESLint is suggesting that "npx" is incorrect and should be replaced by "pnpx" (a specific command for pnpm), the correction would be to replace "npx" with "pnpx".
Here is the single line code suggestion to fix the issue:
"preinstall": "npx only-allow pnpm", | |
"preinstall": "pnpx only-allow pnpm", |
This comment was generated by an experimental AI tool.
peerDependencies: | ||
postcss: ^8.1.0 | ||
|
||
[email protected]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue identified by the Trivy linter is related to a security vulnerability in the axios
library, specifically version 0.27.2
. The vulnerability (CVE-2023-45857) involves the exposure of confidential data stored in cookies. This could potentially allow unauthorized access to sensitive information.
To fix this issue, you should update the axios
dependency to a version that is not affected by this vulnerability, which is 0.28.0
or later.
Here is the single line change to update the axios
dependency:
axios@0.23.0: | |
axios@0.28.0: |
This comment was generated by an experimental AI tool.
mmenu-light: | ||
specifier: ^3.0.9 | ||
version: 3.2.2 | ||
sweetalert2: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (GHSA-mrr8-v49w-3333: sweetalert2 v11.6.14 and above contains potentially undesirable behavior) (no fix available)
The issue reported by the Trivy linter indicates that the version of the sweetalert2
library being used (11.14.1) has a known security vulnerability (GHSA-mrr8-v49w-3333). This vulnerability exists in versions of sweetalert2 starting from 11.6.14 and could potentially lead to undesirable behavior. Since there's no fix available for this vulnerability in the current version range, the best course of action is to downgrade to the last known secure version before 11.6.14.
To resolve this issue, you should downgrade sweetalert2
to version 11.6.13.
sweetalert2: | |
version: 11.6.13 |
This comment was generated by an experimental AI tool.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
What is the current behavior? (You can also link to an open issue here)
package-lock.json
, which can lead to larger disk usage and slower installs due to duplication of dependencies across projects.What is the new behavior? (You can also link to the ticket here)
pnpm-lock.yaml
file ensures consistent dependency versions and faster installs.Does this PR introduce a breaking change?
Screenshots (If appropriate)