Github user justinleet commented on a diff in the pull request:
https://github.com/apache/metron/pull/1267#discussion_r235095621
--- Diff: metron-interface/metron-config/package-lock.json ---
@@ -39,50 +39,50 @@
"@angular-devkit/build-webpack": "0.8.3",
"@angular-devkit/core": "0.8.3",
"@ngtools/webpack": "6.2.3",
- "ajv": "6.4.0",
- "autoprefixer": "8.6.5",
- "circular-dependency-plugin": "5.0.2",
- "clean-css": "4.2.1",
- "copy-webpack-plugin": "4.5.2",
- "file-loader": "1.1.11",
- "glob": "7.1.3",
- "html-webpack-plugin": "3.2.0",
- "istanbul": "0.4.5",
- "istanbul-instrumenter-loader": "3.0.1",
- "karma-source-map-support": "1.3.0",
- "less": "3.8.1",
- "less-loader": "4.1.0",
- "license-webpack-plugin": "1.5.0",
- "loader-utils": "1.1.0",
- "mini-css-extract-plugin": "0.4.3",
- "minimatch": "3.0.4",
- "node-sass": "4.9.3",
- "opn": "5.3.0",
- "parse5": "4.0.0",
- "portfinder": "1.0.17",
- "postcss": "6.0.23",
- "postcss-import": "11.1.0",
- "postcss-loader": "2.1.6",
- "postcss-url": "7.3.2",
- "raw-loader": "0.5.1",
- "rxjs": "6.2.2",
- "sass-loader": "7.1.0",
- "semver": "5.5.1",
- "source-map-loader": "0.2.4",
- "source-map-support": "0.5.9",
- "stats-webpack-plugin": "0.6.2",
- "style-loader": "0.21.0",
- "stylus": "0.54.5",
- "stylus-loader": "3.0.2",
- "tree-kill": "1.2.0",
- "uglifyjs-webpack-plugin": "1.3.0",
- "url-loader": "1.1.1",
- "webpack": "4.19.1",
- "webpack-dev-middleware": "3.3.0",
- "webpack-dev-server": "3.1.8",
- "webpack-merge": "4.1.4",
- "webpack-sources": "1.3.0",
- "webpack-subresource-integrity": "1.1.0-rc.6"
+ "ajv": "~6.4.0",
+ "autoprefixer": "^8.4.1",
--- End diff --
Are there any concerns around all of this stuff using "^", e.g. for
avoiding licensing concerns if something changes license? I'm going to be
entirely honest, my recollection of the exact details of the package-lock and
the whole repeatable builds discussion with npm is hazy at best, so this
question might just be rehashing that older discussion,
---
