Enhancement Request: Pin aemsync and less-tree to versioned packages
jstirnaman opened this issue · 6 comments
Aemfed has 2 dependencies (aemsync, and less-tree) that point to github urls of tarball files for a specific commit. Since these are compiled commits and not a specific version, our corporate NPM registry intake has no way of scanning the dependency for vulnerabilities and therefore cannot know for certain if they are safe to use.
In our project we are facing similar issue, hence the deployment is failing, as the deployment agency has added a check to allow "All dependencies from NPM Registry only".
They also asked us to remove the package and use some other alternative which doesn't have Github dependencies.
@abmaonline - could you please suggest as to what can be done?
Thanks,
@abmaonline this is actually a concerning issue. Any reason for the use of github URLs as opposed to published NPM modules?
@skbhardwaj aemfed is a development tool only, this means you can remove it from your package.json and install it globally on your local machine: npm install -g aemfed and then use it only locally on your developer machine without it ever making it to your CI/CD build.
@ahmed-musallam Problems with global install:
- doesn't solve the core issue - our internal repo prevents me from depositing it without a published build.
- doesn't scale easily for teams where we'd prefer configuration as code.
Yes. I suggested it as a work-around :)
These tarballs start to create a lot of issues. Let me check if I can merge the changes back into the original projects or otherwise publish them as custom npm packages.
Just published a release candidate with scoped npm packages instead of tarballs for the customized modules. Maybe you could give it a try and let me know if it solves the issue?
Please use npm install aemfed@next to install the latest release candidate (or npm install aemfed@0.1.2-rc.0 when you want to be explicit).