Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npx and installed version work differently #32

Closed
antongolub opened this issue Sep 12, 2020 · 1 comment
Closed

npx and installed version work differently #32

antongolub opened this issue Sep 12, 2020 · 1 comment
Assignees
@antongolub
Labels
bug Something isn't working released

Comments

@antongolub
Copy link
Owner 

antongolub@mbp release-testing % yarn-audit-fix --package-lock-only
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke /usr/local/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --prefix=/Users/antongolub/projects/release-testing/node_modules/.cache/yarn-audit-fix

up to date, audited 1395 packages in 5s

# npm audit report

dot-prop  <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via `npm audit fix`
node_modules/compare-func/node_modules/dot-prop
  compare-func  <=1.3.2 || 1.3.4
  Depends on vulnerable versions of dot-prop
  node_modules/compare-func

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix`
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/@iarna/cli/node_modules/yargs
      @iarna/cli  <=1.2.0
      Depends on vulnerable versions of yargs
      node_modules/@iarna/cli
        lock-verify  <=1.1.0 || >=2.2.0
        Depends on vulnerable versions of @iarna/cli
        node_modules/lock-verify

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/@iarna/cli/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/@iarna/cli/node_modules/yargs
    @iarna/cli  <=1.2.0
    Depends on vulnerable versions of yargs
    node_modules/@iarna/cli
      lock-verify  <=1.1.0 || >=2.2.0
      Depends on vulnerable versions of @iarna/cli
      node_modules/lock-verify

8 vulnerabilities (6 low, 2 high)

To address all issues, run:
  npm audit fix
{
  status: 1,
  signal: null,
  output: [ null, null, null ],
  pid: 23108,
  stdout: null,
  stderr: null
}
antongolub@mbp release-testing % sudo npm uninstall -g yarn-audit-fix
removed 376 packages in 2.033s
antongolub@mbp release-testing % npx yarn yarn-audit-fix
yarn run v1.22.4
error Command "yarn-audit-fix" not found.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
antongolub@mbp release-testing % yarn add -D -W yarn-audit-fix
yarn add v1.22.4
[1/4] 🔍  Resolving packages...
warning yarn-audit-fix > synp > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Building fresh packages...
success Saved lockfile.
success Saved 27 new dependencies.
info Direct dependencies
└─ [email protected]
info All dependencies
├─ @npmcli/[email protected]
...
├─ [email protected]
└─ [email protected]
✨  Done in 12.27s.
antongolub@mbp release-testing % yarn-audit-fix --package-lock-only
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke /Users/antongolub/projects/release-testing/node_modules/.bin/npm audit fix --package-lock-only --prefix=/Users/antongolub/projects/release-testing/node_modules/.cache/yarn-audit-fix
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
added 6 packages, removed 250 packages and updated 1425 packages in 6.517s
fixed 55 of 73 vulnerabilities in 1760 scanned packages
  18 vulnerabilities required manual review and could not be updated
Updating yarn.lock from package-lock.json...
invoke yarn --update-checksums
yarn install v1.22.4
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Building fresh packages...
success Saved lockfile.
✨  Done in 5.22s.
Done
antongolub@mbp release-testing %
@antongolub antongolub added the bug Something isn't working label Sep 12, 2020
@antongolub antongolub self-assigned this Sep 12, 2020
antongolub added a commit that referenced this issue Sep 12, 2020
@antongolub
fix: fix npm resolving when launched through npx
27470ef 
closes #32

BREAKING CHANGE: --inherit-npm flag was replaced with --npm-v7
antongolub added a commit that referenced this issue Sep 12, 2020
@antongolub
chore(release): 3.0.0 [skip ci]
da0497c 
# [3.0.0](v2.3.0...v3.0.0) (2020-09-12)

### Bug Fixes

* fix npm resolving when launched through npx ([e1339e2](e1339e2)), closes [#32](#32)

### Features

* print runtime digest ([631897e](631897e))

### BREAKING CHANGES

* --inherit-npm flag was replaced with --npm-v7
@antongolub
Copy link
Owner Author

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@antongolub antongolub

Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@antongolub