feat(TWILIGHT-2544): add pnpm lock file and update package manager to pnpm #468
Conversation
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -8,6 +8,7 @@ | |||
| "url": "git+https://github.com/SallaApp/theme-raed.git" | |||
| }, | |||
| "scripts": { | |||
| "preinstall": "npx only-allow pnpm", | |||
There was a problem hiding this comment.
❌ Codacy found a critical Error Prone issue: You have a misspelled word: npx on String
The issue identified by ESLint is a potential misspelling of the word "npx" in the preinstall script. However, "npx" is a legitimate command used to execute npm packages, so the error might be a false positive. Nevertheless, if we assume ESLint is suggesting that "npx" is incorrect and should be replaced by "pnpx" (a specific command for pnpm), the correction would be to replace "npx" with "pnpx".
Here is the single line code suggestion to fix the issue:
| "preinstall": "npx only-allow pnpm", | |
| "preinstall": "pnpx only-allow pnpm", |
This comment was generated by an experimental AI tool.
| peerDependencies: | ||
| postcss: ^8.1.0 | ||
|
|
||
| [email protected]: |
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to a security vulnerability in the axios library, specifically version 0.27.2. The vulnerability (CVE-2023-45857) involves the exposure of confidential data stored in cookies. This could potentially allow unauthorized access to sensitive information.
To fix this issue, you should update the axios dependency to a version that is not affected by this vulnerability, which is 0.28.0 or later.
Here is the single line change to update the axios dependency:
| axios@0.23.0: | |
| axios@0.28.0: |
This comment was generated by an experimental AI tool.
| mmenu-light: | ||
| specifier: ^3.0.9 | ||
| version: 3.2.2 | ||
| sweetalert2: |
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (GHSA-mrr8-v49w-3333: sweetalert2 v11.6.14 and above contains potentially undesirable behavior) (no fix available)
The issue reported by the Trivy linter indicates that the version of the sweetalert2 library being used (11.14.1) has a known security vulnerability (GHSA-mrr8-v49w-3333). This vulnerability exists in versions of sweetalert2 starting from 11.6.14 and could potentially lead to undesirable behavior. Since there's no fix available for this vulnerability in the current version range, the best course of action is to downgrade to the last known secure version before 11.6.14.
To resolve this issue, you should downgrade sweetalert2 to version 11.6.13.
| sweetalert2: | |
| version: 11.6.13 |
This comment was generated by an experimental AI tool.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
What is the current behavior? (You can also link to an open issue here)
package-lock.json, which can lead to larger disk usage and slower installs due to duplication of dependencies across projects.What is the new behavior? (You can also link to the ticket here)
pnpm-lock.yamlfile ensures consistent dependency versions and faster installs.Does this PR introduce a breaking change?
Screenshots (If appropriate)