user-agents icon indicating copy to clipboard operation
user-agents copied to clipboard

Published 20 hours ago verified publisher icon intoli

You have been running npm publish with a polluted package.json, probably

Open hypesystem opened this issue 3 years ago • 1 comments

In this repo dot-json is not a dependency.

But on npmjs it is listed as such: image

If you install user-agents with npm install user-agents you will see inside its package.json that dot-json is present.

I would guess that whoever is running npm publish (probably it is run from circle-ci, as far as I can tell) has dot-json as a dependency. This means it is pushed to all users and downloaded when the package is used. (This isn't in itself so bad, but dot-json depends on a lib that pollutes the underscore package, which is potentially more problematic.)

The fix is installing dot-json with npm install dot-json --no-save in your circle-ci script.

(This might be because the default behavior of npm changed with npm@5 to imply --save.)

hypesystem avatar Dec 02 '21 12:12 hypesystem

Specifically this line: https://github.com/intoli/user-agents/blob/master/.circleci/config.yml#L84

Prior to publishing a few moments later, it will add dot-json as a dependency. Adding --no-save to the line will fix this.

ath88 avatar Dec 02 '21 12:12 ath88