[FOLIO-3383] avoid sabotaged colors.js > 1.4.0 Created: 10/Jan/22 Updated: 13/Jan/22 Resolved: 13/Jan/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P1 |
| Reporter: | Zak Burke | Assignee: | Zak Burke |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps Sprint 131 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| Description |
|
Summary: The platform's package.json must lock to colors 1.4.0 to avoid sabotaged patch releases. |
| Comments |
| Comment by John Malconian [ 10/Jan/22 ] |
|
I went ahead and pinned colors to 1.4.0 on the following branches in platform-complete in addition to the snapshot branch:
Also did the same for platform-core (snapshot and master) for good measure. |
| Comment by John Malconian [ 13/Jan/22 ] |
|
As discussed on Slack here: https://folio-project.slack.com/archives/C58TABALV/p1642003556044800, the FOLIO Jenkins CI is still having issues with the bogus colors > 1.4.0 npm dep when invoking stripes-cli to run things like karma unit tests. This is causing an infinite loop, eventual build failure, and a build Jenkins log that can grow to 18-20GB. The latest CI version of stripes-cli has colors 1.4.0 defined as a dev dep, but the bogus version is still slipping in there somehow. |
| Comment by John Malconian [ 13/Jan/22 ] |
|
Removed the globally installed stripes-cli from the Jenkins CI build image for good measure. Issue still persists. |
| Comment by John Malconian [ 13/Jan/22 ] |
|
Looks like npmjs.org finally removed colors 1.4.2 from its repo. That means I should be able to remove it from the FOLIO Nexus npmjs.org proxy repo. |
| Comment by John Malconian [ 13/Jan/22 ] |
|
One thing to note was that when I removed colors 1.4.2 from the Nexus repo, 'yarn install' failed because it couldn't find 1.4.2. This means it was previously still resolving to 1.4.2 even with the dep pinned in stripes-cli.. I think it was likely something else depended on colors as well. |
| Comment by John Malconian [ 13/Jan/22 ] |
|
Closing. |