Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
build-frontend/npm fails to update the package-lock.json completely (when updating Vaadin)
See original GitHub issueDescription of the bug
Backstory:
We recently switched from Vaadin 14.4.3 to 14.4.8 in https://github.com/xdev-software/vaadin-date-range-picker/pull/63. We expected that this also closes the following security alert: https://github.com/xdev-software/vaadin-date-range-picker/pull/55
Dependabot created a PR, where it updated the Vaadin-Version in the pom.xml, however we still have to update the package.json and package-lock.json manually, because dependabot can’t do that.
So I checked out the branch and executed mvn clean install -Pproduction.
This updated the package.json. But it looks like it failed to update the package-lock.json completely.
We only noticed this weird circumstance because the security warning was still there, beside being on the (then) latest Vaadin version.
The problem was solved by deleting node_modules, package.json, package-lock.json, webpack.config.js locally and rerunning mvn clean install -Pproduction: https://github.com/xdev-software/vaadin-date-range-picker/commit/89c3b86484cf8186a53ff37c3c42d0f5d202ddf6
Minimal reproducible example
- Checkout https://github.com/xdev-software/vaadin-date-range-picker
- Change to the state before the vaadin update occured:
git checkout 3a7660c - Run
mvn clean install -Pproduction→ This should generate the node_modules - Now go to the commit in which dependabot updated the pom.xml to 14.4.8
git checkout 0cc7df6 - Run
mvn clean install -Pproductionagain. As you see, thepackage.jsonandpackage-lock.jsonget updated. Howeverpackage-lock.json’s “ini” dependency should now be on version 1.3.8, but it’s just 1.3.5 - But if you delete
package.jsonpackage-lock.jsonnode_moduleswebpack.config.js
- and rerun
mvn clean install -Pproductionthe files are different and the package-lock.json is now fully updated as expected.
Expected behavior
- The results of
mvn clean install -Pproductioninpackage-lock.jsonshould not differ when either- having an existing
package.json/package-lock.json - or having none
- having an existing
Suggested workaround
- Ignore
package.json,package-lock.jsonandwebpack.config.jsin git
Versions:
- Vaadin / Flow version: 14.x
- Java version: 11
- OS version: Win 10
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Basically Vaadin should in NPM mode (but not for pnpm) clean up the
package-lock.jsonandnode_modulesin the case where the Vaadin version has updated by comparing the shrinkwrap versions. This should be done automatically even for bugfix changes.There is the opposite problem that sometimes new npm packages are broken. If everything was always auto updated then all projects in the world would end up in a broken state immediately when a broken npm package is released.