WLED icon indicating copy to clipboard operation
WLED copied to clipboard
verified publisher icon Aircoookie

📦 Nodemon version bump & package-lock update

Open mountainash opened this issue 2 years ago • 5 comments

See commit messages

Moved nodemon to devDependencies as it's only used for local dev.

mountainash avatar Oct 05 '23 08:10 mountainash

What's the added value of this PR? Also it seems you modified some integrity hashes, can you point us to the sites where we can verify the new hashes? Just to be sure that we did not accidentally import malware.

softhack007 avatar Oct 05 '23 11:10 softhack007

The added value is that it's the recommended way of declaring dependencies used solely for development.

The updates to the lock file were not manual. NPM (v10.1.0 - as installed with Node.JS v20.8.0) updated the lock file.

Skimming through the log file the it looks like only a few hashes to changed, from sha1 to sha512. Most of the changes are due to the lock file version lockfileVersion changing from version 1 to 3. All the, non nodemon, URLs appear to pull from the same location; if this changed it would be more reason for concern. I don't believe NPM allows reuse of the same URLs when files change.

If you are concerned about change; I suggest using a Codespaces VM on the main branch, copy the package.json from this request (to update nodemon) and run npm install. Then compare the lockfile changes generated with this PR.

Another option/PR would be to replace Nodemon and just use Node --watch as per https://www.jamesqquick.com/blog/using-node-watch-instead-of-nodemon/

mountainash avatar Oct 05 '23 11:10 mountainash

+1 for this PR. I was about to create the same PR.

Moustachauve avatar Oct 14 '23 04:10 Moustachauve

Hey! This pull request has been open for quite some time without any new comments now. It will be closed automatically in a week if no further activity occurs. Thank you for contributing to WLED! ❤️

github-actions[bot] avatar Apr 15 '24 12:04 github-actions[bot]

What's the added value of this PR? Also it seems you modified some integrity hashes, can you point us to the sites where we can verify the new hashes? Just to be sure that we did not accidentally import malware.

Easy to check for yourself. rm package-lock.json, then npm install and you'll get similar updates - although now some of the non-pinned sub-dependencies will likely have been updated and you'll get new versions, with new hashes.

Also this doesn't guarantee that "did not accidentally import malware" - unless you've checked very dependency in-use by the project I doubt you could even say that this isn't already the case (depending on your boundaries/definition of malware).

mountainash avatar Apr 20 '24 19:04 mountainash

Hey! This pull request has been open for quite some time without any new comments now. It will be closed automatically in a week if no further activity occurs. Thank you for contributing to WLED! ❤️

github-actions[bot] avatar Aug 19 '24 12:08 github-actions[bot]