cloud-mta-build-tool icon indicating copy to clipboard operation
cloud-mta-build-tool copied to clipboard

Published 20 hours ago verified publisher icon SAP

Replace `--production` by `--omit=dev`

Open swaldmann opened this issue 1 year ago • 6 comments
trafficstars

Description

This PR replaces all occurrences of --production in an npm context with --omit=dev.

Currently you get these warnings when deploying MTA projects with the standard npm builder: "npm warn config production Use --omit=dev instead"

The omit option was introduced with npm 8, so it's available in all supported versions.

Checklist

  • [ ] Code compiles correctly
  • [ ] Relevant tests were added (unit / contract / integration)
  • [ ] Relevant logs were added
  • [ ] Formatting and linting run locally successfully
  • [ ] All tests pass
  • [ ] UA review
  • [ ] Design is documented
  • [ ] Extended the README / documentation, if necessary
  • [ ] Open source is approved

swaldmann avatar Jun 25 '24 10:06 swaldmann

CLA assistant check
All committers have signed the CLA.

cla-assistant[bot] avatar Jun 25 '24 10:06 cla-assistant[bot]

this parameter "--production" is still used by Node v14 .

yutaoj avatar Aug 08 '24 06:08 yutaoj

Node 14 (and 16) are already end-of-life though. They shouldn't be used any more, as they won't even get patched. IMO you should drop support for them, as in the worst case this enables stakeholders using those outdated versions.

Even if Node 14 support has to be kept for some reason there should be a conditional to use the --omit=dev version for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.

swaldmann avatar Aug 08 '24 08:08 swaldmann

Even if Node 14 support has to be kept for some reason there should be a conditional to use the --omit=dev version for later Node versions. We really shouldn't show warnings for standard projects using a current LTS version just to accommodate to some version deprecated for years.

If you expect that repo to follow the most basic best current security practices or even SAP security policies, you will face disillusionment :) I've tried to push a bunch of security compliance PRs a year ago, most of them have been merged/taken over.

Dunno why such a critical piece in the SAP software supply chain can be left with known critical CVEs such as https://security-tracker.debian.org/tracker/CVE-2024-2961 several months ... or years.

jerome-benoit avatar Aug 08 '24 12:08 jerome-benoit

MBT requires support for Node 14, and the Node 14 MBT Docker image is utilized by SAP Piper. Therefore, it cannot be replaced at this time.

yutaoj avatar Nov 08 '24 08:11 yutaoj

So critical components in the SAP software supply chain use unmaintained and cluttered by serious security flaws node.js version? How can it be considered as a valid justification to continue to support them in another SAP software supply chain critical component?

jerome-benoit avatar Nov 08 '24 09:11 jerome-benoit