onnxruntime icon indicating copy to clipboard operation
onnxruntime copied to clipboard
verified publisher icon microsoft

Update react-native to 0.74 and run npm audit fix

Open jchen351 opened this issue 1 year ago • 6 comments

Description

Updates react-native to 0.74 and run npm audit fix

Motivation and Context

Trying to fix CGs that associated with npm.

Dependent

  • [ ] https://github.com/microsoft/onnxruntime/pull/17361

jchen351 avatar Jun 20 '24 21:06 jchen351

This change is surprisingly huge.

snnn avatar Jun 20 '24 21:06 snnn

This change is surprisingly huge.

Because those 2 yarn.lock files are generated by npm.

I think it might be better generate them during the CI runtime, instead of committing them to the git repo.

jchen351 avatar Jun 20 '24 22:06 jchen351

@skottmckay , do we need to keep the file there? Nobody can really review the 5 thousand lines of change. Therefore I would think it is a security risk, because we don't exactly know what are brought in there.

snnn avatar Jun 20 '24 22:06 snnn

This PR requires https://github.com/microsoft/onnxruntime/pull/17361

jchen351 avatar Jun 21 '24 21:06 jchen351

AFAIK the contents of the yarn.lock files don't affect the bits we ship so it may not matter too much. @fs-eire is that correct?

This would suggest it's better to checkin yarn.lock for things to be deterministic, but that's countered by our project being a library not an app. https://stackoverflow.com/questions/39990017/should-i-commit-the-yarn-lock-file-and-what-is-it-for

Maybe that equates to checking in yarn.lock for the e2e test app and not checking it in for the top-level project.

skottmckay avatar Jun 24 '24 01:06 skottmckay

The file is already excluded in the library (NPM package).

Keeping it in the code source helps to make it consistency between all dev environment, which avoid strange errors on CI, for example.

fs-eire avatar Jun 24 '24 16:06 fs-eire