This experiment illustrates a possible issue with committing `package-lock.json` as we had agreed in [[1]](https://lists.apache.org/thread.html/7f92561d382f143aaf49e083bbe215dcf95a3f4d8b6e3cbb6089a5f3@%3Cdev.cordova.apache.org%3E) and [[2]](https://github.com/apache/cordova/issues/4):
When updating `package-lock.json`, npm does not seem to be so smart about checking if any lower-level dependencies should be updated. The commits in this PR illustrate my observation: * Step 1 (9dde220288957eb0bb75ca80414279bbe88407ef) - commit `package-lock.json` after npm install - shows some `npm audit` issues due to old [email protected] as explicitly required by [email protected] * Step 2 (91dce4301aeffe353d8b7e6ad8464f8140e19d13) - `npm install cordova-lib@^9.0.0-nightly` (just a test) - then `npm audit` issues continue to show up even though old request version 2.79.0 is no longer needed * Step 3 (06bf9d583a28f3ef71c3fdacf967d738ae87f799) - remove committed `package-lock.json` * Step 4 (d4184bf927d522b0e8796d0698a1b3885894dde0) - commit new `package-lock.json` after `npm install --package-lock-only` - now with no more `npm audit` warnings After step 2 (91dce4301aeffe353d8b7e6ad8464f8140e19d13), `npm audit` gave me the following suggestion: * Run `npm update request --depth 2` to resolve 5 vulnerabilities While this suggestion should be able to resolve the warnings, I really find this process to be a bit clumsy and non-intuitive. [1] <https://lists.apache.org/thread.html/7f92561d382f143aaf49e083bbe215dcf95a3f4d8b6e3cbb6089a5f3@%3Cdev.cordova.apache.org%3E> [2] <https://github.com/apache/cordova/issues/4> [ Full content available at: https://github.com/apache/cordova-cli/pull/325 ] This message was relayed via gitbox.apache.org for [email protected]
