Javier

    Javier

    9 months ago
    What is
    kotlin-js-store
    ? Recently it is being autogenerated in my projects that target JS
    hfhbd

    hfhbd

    9 months ago
    It contains a yarn lock file to always use this pinned dependencies (no more broken builds due some webpack updates...)
    Javier

    Javier

    9 months ago
    new feature from 1.6.0 or 1.6.10? previously it wasn't there
    For updating it I have to do something or just don't touch it forever and just wait until gradlew build changes it
    hfhbd

    hfhbd

    9 months ago
    1.6.10
    please don't change it manually. It should only change with Kotlin updates, or js npm updates
    c

    Carter

    9 months ago
    Except perhaps when the versions contain security vulnerabilities https://kotlinlang.slack.com/archives/C0B8L3U69/p1639510922224200
    Javier

    Javier

    9 months ago
    Thank you all 🙂
    I understand this needs to be checked in source control.
    a

    Adam S

    5 months ago
    I had the same problem. I think I just fixed it by defining the vulnerable dependency with the fixed version using the Gradle
    platform(...)
    function. I then deleted the contents of
    yarn.lock
    , and ran the Gradle task
    kotlinStoreYarnLock
    . Here's the relevant bits from
    build.gradle.kts
    looks like. I'm using Kotlin/JS 1.6.20 and Gradle 7.4.2 I don't know what these dependencies are, or where they're coming from. I'm not even sure if this worked. But it made most of the Dependabot warnings go away. edit: oops, I meant to reply in this thread, not here. My bad!
    hfhbd

    hfhbd

    5 months ago
    @Adam S This is the “perfect” sample for using non deterministic, self updating dependencies and has nothing to do with https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.DependencyHandler.html#org.gradle.api.artifacts.dsl.DependencyHandler:platform(java.lang.Object) Instead use the lock file to always use the same versions to avoid broken builds. Add the lockfile to your vcs (git) and dont use dependencies.platform.
    a

    Adam S

    5 months ago
    I thought yarn lock wasn't supposed to be edited manually? Besides, I'm not familiar with the NPM ecosystem, so I wanted a Gradle solution.
    hfhbd

    hfhbd

    5 months ago
    Just silence the GitHub warnings by deleting the
    yarn.lock
    file is not The Way. Just use
    dependencies {
            implementation(npm("follow-redirects", "^1.14.8")
            implementation(npm("nanoid", "^3.1.31")
            implementation(npm("minimist", "^1.2.6")
            implementation(npm("async", "^2.6.4")
            implementation(npm("node-forge", "^1.3.0")
    and checkin the
    yarn.lock
    file. If you want to bump your npm dependencies, delete the lockfile manually and recreate them by executing
    kotlinStoreYarnLock
    , and commit the new locked versions! Without the lockfile, you are using
    ^
    , which updates the npm versions in each build! But generally, for kotlin only projects, the dependencies are often only used for testing kotlin code…
    a

    Adam S

    5 months ago
    I think you missed something from my message, I didn't say I deleted the lock file, and I said I ran
    kotlinStoreYarnLock
    . I tried setting the dependencies without
    platform(...)
    , but that just added two entries (one with the vulnerable version, and one with the defined version) in
    yarn.lock
    .
    hfhbd

    hfhbd

    5 months ago
    Ah okay, apologies! The platform call sounds like a hack, maybe you could create an issue instead.
    a

    Adam S

    5 months ago
    No problem. And yeah, it's a hack. I couldn't figure out a proper Gradle way to do it since
    KotlinDependencyHandler
    doesn't expose any of the usual 'constraints' functionality I did find this ticket https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependen, which has an alternative workaround. I've spruced it up a bit, but I haven't tested it. For now I'm just going to use
    platform(...)
    . It's a one line fix.