Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[svengbr] Differences in package-lock.json from nodejs

See original GitHub issue

Your Question

Following instructions from https://github.com/corona-warn-app/cwa-website#getting-started I downloaded version 14.15.0 LTS (includes npm 6.14.8) from https://nodejs.org/en/ then ran npm install which prompted me to install security fixes, and I did that.

This has updated package-lock.json to have different values from the https://github.com/corona-warn-app/cwa-website/blob/master/package-lock.json in the master branch.

How can these differences be reconciled? Do I need to install a different version of nodejs or does master need updating with security patches?

Here is a snippet of differences:

     "bl": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-1.2.2.tgz",
-      "integrity": "sha512-e8tQYnZodmebYDWGH7KMRvtzKXaJHx3BbilrgZCfvyLUYdKpK1t5PSPmpkny/SgiTSCnjfLW7v5rlONXVFkQEA==",
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-1.2.3.tgz",
+      "integrity": "sha512-pvcNpa0UU69UT341rO6AYy4FVAIkUHuZXRIWbq+zHnsVcRzDDjIAhGuuYoi0d//cwIwtt4pkpKycWEfjdV+vww==",
       "requires": {
         "readable-stream": "^2.3.5",
         "safe-buffer": "^5.1.1"
       }

git diff output is attached.

git_diff.txt

Issue Analytics

State:
Created 3 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

svengabrcommented, Nov 20, 2020

@MikeMcC399 thanks for your detailed input!

I had this on my desk to fix the dependencies for quite some time now. Yesterday I did already increase the bl version here.

I have updated the package-lock.json and no more warnings appear for me now.

Pull Request: https://github.com/corona-warn-app/cwa-website/pull/606

0reactions

MikeMcC399commented, Jan 9, 2021

Closing, since this issue is a mixture of several different topics. Dependabot alerts need to be addressed as a matter of routine by the repo maintainer.

Top Results From Across the Web

Difference between package.json and package-lock.json files

In this article, we will learn the major differences between package.json and package.lock.json and their needs in node js.

package.json vs package-lock.json: Major Differences

The package-lock.json is a lockfile that holds information on the dependencies or packages installed for a node.js project, including their ...

package.json vs package-lock.json - Differences, Purposes ...

json . It locks all versions of the dependencies and sub dependencies (and sub, sub, sub) that your package would need. While package-json...

npm install creates strange differences in package-lock.json ...

node. js - npm install creates strange differences in package-lock. json between different machines - Stack Overflow. Stack Overflow for Teams ...

package.json Vs package-lock.json | by DLT Labs - Medium

To avoid differences in installed dependencies on different environments and to generate the same results on every environment we should use the package-lock....