Update `package-lock.json` file to latest version?
mbrukman opened this issue · 4 comments
Thanks for building and releasing this app! It has really made it much more enjoyable to edit Graphviz files with the live preview, and the smooth animations are a really nice touch.
When running npm install on a fresh clone of the repo (as per the instructions in README.md), I get the following warnings:
$ npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
[... other warnings ...]Would you accept a change to update package-lock.json? It's a massive auto-generated change that's hard to review, so if you'd prefer to ensure it's appropriately generated (i.e., trustworthy), maybe you want to commit a version that you generated yourself?
As additional motivation for this change: I also see a lot of warnings of libraries being unmaintained, deprecated, etc., so it would make sense to update them as well, but seems like the first thing to do would be to update package-lock.json, as follow-up changes would also want to modify that file, and it would be good to separate the very large one-time update to the file from the incremental changes.
Thoughts?
Thank you so much for the kind words. It always makes me happy to hear I'm not the only user.
Thanks for offering to help. I however prefer to do it myself. I haven't been able to give this application enough love the last year, but I plan to update to the latest Graphviz version and make a new release very soon. I'll update the dependencies as well.
FYI, @magjac, if you haven't had a chance to do the upgrades yet, please take a look at the auto-generated PRs to update package versions from GitHub's Dependabot:
They are usually correct (I've gotten a bunch of these on my repo, and haven't seen any issues with them yet), and if any PRs are out-of-date, just comment with @dependabot rebase and the bot will do it, at which point your CI will re-run with the latest changes.
Let me know if I can help!
I tried to do a full npm update, but CI failed. I've instead merged an package-lock.json from a fresh "npm install". I guess this means that some of the dependabot PRs will become obsolete. Hopefully they will come back with updates that I can merge.
I see you've started merging some PRs from @dependabot, so I guess things are OK now?
I think your merging of a newly-created package-log.json addresses my original request in this issue, so I am going to close it. Going forward, you'll also get incremental package version updates via @dependabot; however, since your dependencies are marked with ^, you'll only get minor patch updates; if there are any major releases that need to be installed, you'll need to do that upgrading and testing manually—which is a good thing, as they may have breaking changes.
Thanks again for sharing this project!