Hi Jacopo,
Actually it's a long time I have not used my fork, I'll do that.
I just noticed a point that seems to confirm that the recent results are due to the missing
<<package-ecosystem: "projectmgr">>
Without this last change Dependabot will continue to ignore to check the
current configuration.
For instance at https://github.com/apache/ofbiz-plugins/actions/runs/24345692854
The last "npm_and_yarn in /projectmgr/webapp/projectmgr for form-data"
Dependabot says at that it's "Triggered via dynamic 2 days ago"
I have added it yesterday evening (21h17). I don't know exactly when it will be
taken into account.
I guess as it is daily it will be this evening around 21h17
So I'll wait that before touching again at projectmgr
Please don't modify .github/dependabot.yml in plugins before that. There now
are much chances that the jsgantt-improved is OK.
TIA
Jacques
Le 15/04/2026 à 08:54, Jacopo Cappellato a écrit :
Hi Jacques,
Could you please stop using the official repositories for experiments and
trial-and-error attempts?
Over the past couple of days, the project history has become quite messy
due to repeated commits and reverts related to bringing back a single
feature:
aae7fb0ea Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)
244da72bb Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)
5292829b3 Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)"
c7d82dd26 Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)"
5009ffd84 Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)
4418368fc Revert "Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)"
7aa8bc59c Fixed: jsgantt-improved blocks qs.js update (OFBIZ-13339)
As a side note, the change you made to .github/dependabot.yml is not
correct. Over the past few weeks, I have spent significant effort improving
and stabilizing our CI/CD configuration, which was previously incomplete
and unreliable. Please avoid modifying these configurations unless you
fully understand the impact, this includes studying and testing changes in
your own fork before committing them to the main repository. I will fix the
file later today.
Also, please put more care into writing commit messages in a professional
style. They should clearly and concisely describe the changes introduced,
without including personal reasoning or references to discussions.
You are, of course, free to experiment and follow your preferred workflow
in your own fork. However, continuing to push directly to the official
repository without review goes against the collaborative process we are
trying to maintain in this community.
Best regards,
Jacopo
On Tue, Apr 14, 2026 at 9:30 PM Jacques Le Roux via dev <
[email protected]> wrote:
Seems not enough. Before reverting, I prefer to wait because the schedule
interval is "daily".
If I have well understood, Dependabot needs some time...
Le 14/04/2026 à 21:13, Jacques Le Roux via dev a écrit :
Mmm no... node_modules is not in repo anyway. I don't get it.
Why Dependabot still finds and uses the 2.8.9 jsgantt-improved version
when the package*.json contain the 3.0.0 version?
I can check that in node_modules when running "npm install" locally.
I think I found the (hopefully only) reason, the <<package-ecosystem:
"projectmgr">> was removed with
https://github.com/apache/ofbiz-plugins/commit/e9a5e7b954b7c6cedfbf01e2e267e04cfe8c989a
Trying that a last time, before asking for help
Le 14/04/2026 à 20:32, Jacques Le Roux via dev a écrit :
As I'm quite not a npm specialist, I only made a "npm update" (OK for
package*.json)
when a "npm install" was also needed (to update jsgantt.js and the rest)
So in node_modules the 2.8.9 jsgantt-improved version was still there.
I'll try again after using "npm update". If it does not work this time,
I'll need some help...
Jacques
Le 14/04/2026 à 18:53, Jacques Le Roux via dev a écrit :
Done,
What's weird about that is that npm and Dependabot are both GH
creations.
Must be an error between one chair and one keyboard, or npm and
Dependabot are not synchro.
Jacques
Le 14/04/2026 à 18:45, Jacques Le Roux a écrit :
Hi,
Despite updating jsgantt-improved to version 3.0.0 through npm
Dependabot is still reporting:
<<Dependabot cannot update form-data to a non-vulnerable version
The latest possible version that can be installed is 2.3.3 because of the
following conflicting dependencies:[email protected]
requiresform-data@~2.3.2 via a transitive dependency [email protected]
No patched
version available for form-data The earliest fixed version is
2.5.5.>>
This is in contradiction with the answer at
https://github.com/jsGanttImproved/jsgantt-improved/issues/384
I'll revert again and confront Mario Mol this that.
Jacques
