https://kotlinlang.org logo
#multiplatform
Title
# multiplatform
j

Javier

12/18/2021, 2:51 PM
What is
kotlin-js-store
? Recently it is being autogenerated in my projects that target JS
h

hfhbd

12/18/2021, 2:58 PM
It contains a yarn lock file to always use this pinned dependencies (no more broken builds due some webpack updates...)
j

Javier

12/18/2021, 3:00 PM
new feature from 1.6.0 or 1.6.10? previously it wasn't there
For updating it I have to do something or just don't touch it forever and just wait until gradlew build changes it
h

hfhbd

12/18/2021, 3:01 PM
1.6.10
please don't change it manually. It should only change with Kotlin updates, or js npm updates
👍 2
c

Carter

12/18/2021, 3:19 PM
Except perhaps when the versions contain security vulnerabilities https://kotlinlang.slack.com/archives/C0B8L3U69/p1639510922224200
j

Javier

12/18/2021, 5:31 PM
Thank you all 🙂
I understand this needs to be checked in source control.
👌 1
a

Adam S

04/20/2022, 9:57 AM
I had the same problem. I think I just fixed it by defining the vulnerable dependency with the fixed version using the Gradle
platform(...)
function. I then deleted the contents of
yarn.lock
, and ran the Gradle task
kotlinStoreYarnLock
. Here's the relevant bits from
build.gradle.kts
looks like. I'm using Kotlin/JS 1.6.20 and Gradle 7.4.2 I don't know what these dependencies are, or where they're coming from. I'm not even sure if this worked. But it made most of the Dependabot warnings go away. edit: oops, I meant to reply in this thread, not here. My bad!
h

hfhbd

04/20/2022, 10:20 AM
@Adam S This is the “perfect” sample for using non deterministic, self updating dependencies and has nothing to do with https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.DependencyHandler.html#org.gradle.api.artifacts.dsl.DependencyHandler:platform(java.lang.Object) Instead use the lock file to always use the same versions to avoid broken builds. Add the lockfile to your vcs (git) and dont use dependencies.platform.
a

Adam S

04/20/2022, 10:22 AM
I thought yarn lock wasn't supposed to be edited manually? Besides, I'm not familiar with the NPM ecosystem, so I wanted a Gradle solution.
h

hfhbd

04/20/2022, 10:38 AM
Just silence the GitHub warnings by deleting the
yarn.lock
file is not The Way. Just use
Copy code
dependencies {
        implementation(npm("follow-redirects", "^1.14.8")
        implementation(npm("nanoid", "^3.1.31")
        implementation(npm("minimist", "^1.2.6")
        implementation(npm("async", "^2.6.4")
        implementation(npm("node-forge", "^1.3.0")
and checkin the
yarn.lock
file. If you want to bump your npm dependencies, delete the lockfile manually and recreate them by executing
kotlinStoreYarnLock
, and commit the new locked versions! Without the lockfile, you are using
^
, which updates the npm versions in each build! But generally, for kotlin only projects, the dependencies are often only used for testing kotlin code…
a

Adam S

04/20/2022, 10:43 AM
I think you missed something from my message, I didn't say I deleted the lock file, and I said I ran
kotlinStoreYarnLock
. I tried setting the dependencies without
platform(...)
, but that just added two entries (one with the vulnerable version, and one with the defined version) in
yarn.lock
.
h

hfhbd

04/20/2022, 10:48 AM
Ah okay, apologies! The platform call sounds like a hack, maybe you could create an issue instead.
👍 1
a

Adam S

04/20/2022, 2:19 PM
No problem. And yeah, it's a hack. I couldn't figure out a proper Gradle way to do it since
KotlinDependencyHandler
doesn't expose any of the usual 'constraints' functionality I did find this ticket https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependen, which has an alternative workaround. I've spruced it up a bit, but I haven't tested it. For now I'm just going to use
platform(...)
. It's a one line fix.
thank you color 1
81 Views