cli
cli copied to clipboard
npm
[DOCS] Details for package-lock.json dependencies version field missing
Is there an existing issue for this?
- [X] I have searched the existing issues
This is a CLI Docs Problem, not another kind of Docs Problem.
- [X] This is a CLI Docs Problem.
Description of Problem
Issue raised following the opening of https://github.com/jeremylong/DependencyCheck/issues/4293.
The generated package-lock.json file has a Dependency object without specifying a version field:
"node_modules/jest-resolve": {
"dev": true,
"optional": true,
"peer": true
},
This behavior is not specified in the documentation of the cli, which implies a version field is always present and set.
Dependency objects have the following fields:
- version: a specifier that varies depending on the nature of the package, and is usable in fetching a new copy of it.
- bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
- registry sources: This is a version number. (eg, 1.2.3)
- git sources: This is a git specifier with resolved committish. (eg, git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)
- http tarball sources: This is the URL of the tarball. (eg, https://example.com/example-1.3.0.tgz)
- local tarball sources: This is the file URL of the tarball. (eg file:///opt/storage/example-1.3.0.tgz)
- local link sources: This is the file URL of the link. (eg file:libs/our-module)
How such dependencies should be considered?
Potential Solution
Detailing cases where a version is not specified for a dependency
Affected URL
https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json#dependencies
