Github dependabot found potential security vulnerabilities in My dependencies.
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
I don't know how to fix it. What should I do?
Origin: https://github.com/substack/minimist/issues/164
Fix Resolution: minimist - 1.2.6
Install npm-force-resolutions:
npx npm-force-resolutions
then Add field resolutions with the dependency version you want to fix to your package.json file. It modifies package-lock.json to force the installation of a specific version of a transitive dependency.
"resolutions": {
"minimist": "1.2.6"
}
Related
I am setting up github actions, and struggling to see how to handle the dependencies of a particular action.
Below is a simplified view of my repository setup, with the action and workflow YAML files as I currently understand them.
my-org/my-tool#master: a specific tool in my organisation that I want to enable as a github action
package.json
tool.js: the tool, depending on npm packages described in package.json
action.yml
name: my-tool
inputs:
file:
description: file to be processed by my-tool
required: true
runs:
using: node16
main: tool.js
my-org/my-code#branch: a code repository where I want to run the tool as an action
my-code.js: some code that needs to be processed by the tool
.github/workflows/use-tool.yml:
# ...
jobs:
tool:
steps:
- uses: my-org/my-tool#master
with:
file: my-code.js
# ...
If my-tool has no dependencies, this setup works well enough. But my-tool needs to have dependencies installed to function properly, i.e., a single npm install in its root directory. How do I specify this dependency in a github action setup?
I have multiple options, none of which are truly satisfying to me:
I can define a workflow that checks out my-tool, installs the dependencies, and then runs it. However, I don't want that logic to be in the workflow yaml of the my-code repository, as I have multiple similar repositories, all of which require my-tool, which will result in duplication. I don't see how to do this in the action.yml file itself. It seems I have to choose between a javascript action to run node tools, or a composite action to run shell tools.
I can bundle the node_modules directory in the my-tool repository; this bloats my repos unnecessarily.
I can bundle an ncc distribution of my-tool in its repo; same problem.
I can define and build a container image of my-tool with its dependencies installed, and use a container action to run the tool on my-code. This seems like overhead to me, and I have no idea how this container would access the files from the my-org/my-code repo (which would be its core purpose).
Options 2 and 3 are the ones described in the example published by github. I would be happy with using an artifact (either node_modules dir or ncc distribution) as the basis for an action, but there seems to be no way to do this.
My specific use case concerns npm dependencies, but there seems to be a generic use case for "action with dependencies", support for which is unclear to me from reading the documentation. I can't be the only dev in the world working with a toolset with dependencies of its own. Maybe I am looking at this setup in the wrong way. Is there a best practice for actions with dependencies? Is there a best practice to only have actions with zero dependencies?
I look forward to learn from any partial answer or suggestion.
I am working on a project that depends on CMake. When I download CMake and I add it to the root of the repo I still have the same error.
CMake is a pre-requisite to build this repository but it was not found on the path.
Please install CMake from http://www.cmake.org/download/ and ensure it is on your path.
Where and how should I add CMake to the project?
While I don't know what you mean by repo, after searching for the error message
CMake is a pre-requisite to build this repository but it was not found on the path.
It seems you are working with dotnet/corefx or an older version of dotnet/coreclr.
Indeed, it looks like a problem similar to yours has been fixed on May 30, see commit entitled Improve CMake detection on Windows when not in PATH here: https://github.com/dotnet/corefx/issues/28799
I am trying to install a Ionic 2 template.
Following the readme gets until the point where I need to install typings dependencies. After the installation of the typings CLI with npm install typings --global, I should install all the dependencies stated in the typings.json package (already provided by the template in the project folder).
This is how the typings.json file looks like:
{
"dependencies": {},
"devDependencies": {},
"ambientDependencies": {
"cordova": "registry:dt/cordova#0.0.0+20160316155526",
"cordova/plugins/statusbar": "registry:dt/cordova/plugins/statusbar#0.0.0+20160316155526",
"es6-shim": "github:DefinitelyTyped/DefinitelyTyped/es6-shim/es6-shim.d.ts#4de74cb527395c13ba20b438c3a7a419ad931f1c"
}
}
As stated in the title, it gives me No dependencies as output and it doesn not install anything contained in that config file.
Could it be something related to having installed typings with sudo as a global package? Maybe it is looking for a config file in another directory?
Thanks!
This is most likely the update from 0.* to 1.*. Check the release notes
https://github.com/typings/typings/releases/tag/v1.0.0
Changes
Many breaking changes (see https://github.com/typings/core/releases/tag/v1.0.0)
Renamed ambient to global
Updated typings/ directory structure (removed browser.d.ts by default, should use typings/index.d.ts by default)
Killed defaultAmbientSource (no more auto-install of DefinitelyTyped when using --ambient, explicitly use dt~)
Replace ! parser expansion symbol with ~ (! is a reserved bash symbol)
Ability to specify different resolutions and output directories using resolution in typings.json
Using tslint-config-standard for linting rules
Fixing it for me was just replacing "devDependencies" with "globalDependencies" in my typings.json.
I had the same problem. I had to install node.js again (there was a newer version when I installed it again, 6.2.0) with the installer, node-sass with npm (I don't know if you need this one) and then the installation of typings worked.
I am trying to use components from http://react-components.com (eg. react-youtube) in Reagent based application, but probably my naive approach is not the right one. I tried to install NPM packages with lein-npm module, include script in html page and use them via reagent/adapt-react-class as in this SO question. But for except this sample I wasn't successful.
Usually I get errors like "require/import/module is not defined" or "Youtube is undefined" (by having (def yt-test [] (r/adapt-react-class js/Youtube)). I am confused about what is needed to do. I read something about webpack/browserify, saw cljsjs packages - are those required in order to make this working?
I wrote a step by step guide on how to achieve this with webpack:
blob.tomerweller.com/reagent-import-react-components-from-npm
The general concept is the same as #scttnlsn suggested: bundle all npm packages in an external JS file and expose them through the global window object.
Those components are packaged as CommonJS modules. One approach for accessing CommonJS modules from ClojureScript is to bundle them into a single JavaScript file that can be included with your ClojureScript build.
You'll need to create a JavaScript entry point file which requires your various NPM dependencies and exposes them to ClojureScript (for example, by setting them on window). Create a file (let's call it index.js) containing:
window.YouTube = require('react-youtube');
Then use a tool like Browserify to bundle your entry point file and all of the dependencies it requires:
npm install -g browserify
browserify index.js --standalone window > bundle.js
Include bundle.js in your ClojureScript build and you'll be able to access the React component from ClojureScript via js/YouTube
I am currently creating a portable consolidation of my workflow using Node-Webkit which has node.js embedded. Now my problem is getting grunt/gulp inside the project itself as it depends on the cli somewhat(avoidable, granted), and also is confusing to me on the architecture. Is it possible to find just a .js with grunt in it to include much like Jquery/Handlebars?
Is this all I need to just include and run?
No before that make sure you environment is up, get the package.json, GruntFile.js file. In GruntFile.js you can specify what you want to pre-process. For example jade,Less,coffee. It looks very much like a node function, for sample you can refer to link
Now to make this work you also need to install various contrib plugins as per your requirement. Then register every single task in GruntFile.js. It really speeds up the development.
grunt.loadNpmTasks('grunt-contrib-less');
grunt.loadNpmTasks('grunt-contrib-jade');
grunt.loadNpmTasks('grunt-contrib-coffee');
grunt.registerTask('test', ['jade', 'less','coffee']);
So to process less,jade,coffee, we need to run the module installations such as
npm install grunt --save-dev
npm install grunt <module name> --save-dev
There are many more interesting configurations to learn and documentation is really nice, please refer to getting started guide
This adds the required Grunt and grunt plugins to package.json