Javier
12/18/2021, 2:51 PMkotlin-js-store
? Recently it is being autogenerated in my projects that target JShfhbd
12/18/2021, 2:58 PMJavier
12/18/2021, 3:00 PMhfhbd
12/18/2021, 3:01 PMCarter
12/18/2021, 3:19 PMJavier
12/18/2021, 5:31 PMmbonnin
12/18/2021, 9:30 PMAdam S
04/20/2022, 9:57 AMplatform(...)
function. I then deleted the contents of yarn.lock
, and ran the Gradle task kotlinStoreYarnLock
.
Here's the relevant bits from build.gradle.kts
looks like. I'm using Kotlin/JS 1.6.20 and Gradle 7.4.2
I don't know what these dependencies are, or where they're coming from. I'm not even sure if this worked. But it made most of the Dependabot warnings go away.
edit: oops, I meant to reply in this thread, not here. My bad!hfhbd
04/20/2022, 10:20 AMAdam S
04/20/2022, 10:22 AMhfhbd
04/20/2022, 10:38 AMyarn.lock
file is not The Way. Just use
dependencies {
implementation(npm("follow-redirects", "^1.14.8")
implementation(npm("nanoid", "^3.1.31")
implementation(npm("minimist", "^1.2.6")
implementation(npm("async", "^2.6.4")
implementation(npm("node-forge", "^1.3.0")
and checkin the yarn.lock
file. If you want to bump your npm dependencies, delete the lockfile manually and recreate them by executing kotlinStoreYarnLock
, and commit the new locked versions!
Without the lockfile, you are using ^
, which updates the npm versions in each build!
But generally, for kotlin only projects, the dependencies are often only used for testing kotlin code…Adam S
04/20/2022, 10:43 AMkotlinStoreYarnLock
.
I tried setting the dependencies without platform(...)
, but that just added two entries (one with the vulnerable version, and one with the defined version) in yarn.lock
.hfhbd
04/20/2022, 10:48 AMAdam S
04/20/2022, 2:19 PMKotlinDependencyHandler
doesn't expose any of the usual 'constraints' functionality
I did find this ticket https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependen, which has an alternative workaround. I've spruced it up a bit, but I haven't tested it.
For now I'm just going to use platform(...)
. It's a one line fix.