Hi Jacques, Could you please stop using the official repositories for experiments and trial-and-error attempts?
Over the past couple of days, the project history has become quite messy due to repeated commits and reverts related to bringing back a single feature: aae7fb0ea Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339) 244da72bb Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339) 5292829b3 Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)" c7d82dd26 Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)" 5009ffd84 Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339) 4418368fc Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)" 7aa8bc59c Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339) As a side note, the change you made to .github/dependabot.yml is not correct. Over the past few weeks, I have spent significant effort improving and stabilizing our CI/CD configuration, which was previously incomplete and unreliable. Please avoid modifying these configurations unless you fully understand the impact, this includes studying and testing changes in your own fork before committing them to the main repository. I will fix the file later today. Also, please put more care into writing commit messages in a professional style. They should clearly and concisely describe the changes introduced, without including personal reasoning or references to discussions. You are, of course, free to experiment and follow your preferred workflow in your own fork. However, continuing to push directly to the official repository without review goes against the collaborative process we are trying to maintain in this community. Best regards, Jacopo On Tue, Apr 14, 2026 at 9:30 PM Jacques Le Roux via dev < [email protected]> wrote: > Seems not enough. Before reverting, I prefer to wait because the schedule > interval is "daily". > If I have well understood, Dependabot needs some time... > > Le 14/04/2026 à 21:13, Jacques Le Roux via dev a écrit : > > Mmm no... node_modules is not in repo anyway. I don't get it. > > Why Dependabot still finds and uses the 2.8.9 jsgantt-improved version > when the package*.json contain the 3.0.0 version? > > I can check that in node_modules when running "npm install" locally. > > > > I think I found the (hopefully only) reason, the <<package-ecosystem: > "projectmgr">> was removed with > > > https://github.com/apache/ofbiz-plugins/commit/e9a5e7b954b7c6cedfbf01e2e267e04cfe8c989a > > > > Trying that a last time, before asking for help > > > > Le 14/04/2026 à 20:32, Jacques Le Roux via dev a écrit : > >> As I'm quite not a npm specialist, I only made a "npm update" (OK for > package*.json) > >> when a "npm install" was also needed (to update jsgantt.js and the rest) > >> So in node_modules the 2.8.9 jsgantt-improved version was still there. > >> > >> I'll try again after using "npm update". If it does not work this time, > I'll need some help... > >> > >> Jacques > >> > >> Le 14/04/2026 à 18:53, Jacques Le Roux via dev a écrit : > >>> Done, > >>> > >>> What's weird about that is that npm and Dependabot are both GH > creations. > >>> Must be an error between one chair and one keyboard, or npm and > Dependabot are not synchro. > >>> > >>> Jacques > >>> > >>> Le 14/04/2026 à 18:45, Jacques Le Roux a écrit : > >>>> Hi, > >>>> > >>>> Despite updating jsgantt-improved to version 3.0.0 through npm > Dependabot is still reporting: > >>>> > >>>> <<Dependabot cannot update form-data to a non-vulnerable version > The latest possible version that can be installed is 2.3.3 because of the > >>>> following conflicting dependencies: [email protected] > requires form-data@~2.3.2 via a transitive dependency on [email protected] > No patched > >>>> version available for form-data The earliest fixed version is > 2.5.5.>> > >>>> > >>>> This is in contradiction with the answer at > https://github.com/jsGanttImproved/jsgantt-improved/issues/384 > >>>> > >>>> I'll revert again and confront Mario Mol this that. > >>>> > >>>> Jacques > >>>> >
