drupal-project icon indicating copy to clipboard operation
drupal-project copied to clipboard
verified publisher icon wunderio

Consider removing package-lock.json from template

Open tormi opened this issue 3 years ago • 3 comments

Currently, it's impossible to merge quite frequent dependabot.yml pull requests because these are overwriting our minimally configured package-lock.json. See https://github.com/wunderio/drupal-project/pull/274 for example.

tormi avatar Feb 10 '22 07:02 tormi

Let's investigate if we can exclude files from Dependabot first. Configuration options for dependency updates, https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

tormi avatar Feb 10 '22 07:02 tormi

There's a Dependabot FR filed to only target package.json file https://github.com/dependabot/dependabot-core/issues/3184

tormi avatar Feb 10 '22 08:02 tormi

So basically we need similar strategy for manifest file as is available for lockfile (versioning-strategy: lockfile-only). See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#versioning-strategy

tormi avatar Feb 10 '22 08:02 tormi