What is

kotlin-js-store

? Recently it is being autogenerated in my projects that target JS

It contains a yarn lock file to always use this pinned dependencies (no more broken builds due some webpack updates...)

new feature from 1.6.0 or 1.6.10? previously it wasn't there

1.6.10

Except perhaps when the versions contain security vulnerabilities https://kotlinlang.slack.com/archives/C0B8L3U69/p1639510922224200

Thank you all 🙂

Also relevant: https://kotlinlang.slack.com/archives/C0B8L3U69/p1639508052221600?thread_ts=1639508052.221600&cid=C0B8L3U69

I had the same problem. I think I just fixed it by defining the vulnerable dependency with the fixed version using the Gradle

platform(...)

function. I then deleted the contents of

yarn.lock

, and ran the Gradle task

kotlinStoreYarnLock

. Here's the relevant bits from

build.gradle.kts

looks like. I'm using Kotlin/JS 1.6.20 and Gradle 7.4.2 I don't know what these dependencies are, or where they're coming from. I'm not even sure if this worked. But it made most of the Dependabot warnings go away. edit: oops, I meant to reply in this thread, not here. My bad!

@Adam S This is the “perfect” sample for using non deterministic, self updating dependencies and has nothing to do with https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.DependencyHandler.html#org.gradle.api.artifacts.dsl.DependencyHandler:platform(java.lang.Object) Instead use the lock file to always use the same versions to avoid broken builds. Add the lockfile to your vcs (git) and dont use dependencies.platform.

I thought yarn lock wasn't supposed to be edited manually? Besides, I'm not familiar with the NPM ecosystem, so I wanted a Gradle solution.

Just silence the GitHub warnings by deleting the

yarn.lock

file is not The Way. Just use

dependencies {
        implementation(npm("follow-redirects", "^1.14.8")
        implementation(npm("nanoid", "^3.1.31")
        implementation(npm("minimist", "^1.2.6")
        implementation(npm("async", "^2.6.4")
        implementation(npm("node-forge", "^1.3.0")

and checkin the

yarn.lock

file. If you want to bump your npm dependencies, delete the lockfile manually and recreate them by executing

kotlinStoreYarnLock

, and commit the new locked versions! Without the lockfile, you are using

^

, which updates the npm versions in each build! But generally, for kotlin only projects, the dependencies are often only used for testing kotlin code…

I think you missed something from my message, I didn't say I deleted the lock file, and I said I ran

kotlinStoreYarnLock

. I tried setting the dependencies without

platform(...)

, but that just added two entries (one with the vulnerable version, and one with the defined version) in

yarn.lock

.

Ah okay, apologies! The platform call sounds like a hack, maybe you could create an issue instead.

No problem. And yeah, it's a hack. I couldn't figure out a proper Gradle way to do it since

KotlinDependencyHandler

doesn't expose any of the usual 'constraints' functionality I did find this ticket https://youtrack.jetbrains.com/issue/KT-50848/Kotlin-JS-inner-build-routines-are-using-vulnerable-NPM-dependen, which has an alternative workaround. I've spruced it up a bit, but I haven't tested it. For now I'm just going to use

platform(...)

. It's a one line fix.