Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: lock library dependencies #192

Merged
merged 7 commits into from
Jul 26, 2023
Merged

feat: lock library dependencies #192

merged 7 commits into from
Jul 26, 2023

Conversation

michelkaporin
Copy link
Contributor

  • Ready for review
  • Linked to Jira ticket

What does this PR do?

This PR locks code-client dependencies for install reproducibility purposes in the CI.

The current solution of not having a lock, doesn't address the issue that it's meant to solve, as CLI (or any other consumer) would result in a different dependency resolution than the one happening in the current library's CI pipeline.

Where should the reviewer start?

How should this be manually tested?

Any background context you want to provide?

Coffee read: https://snyk.io/blog/what-is-package-lock-json.
Discussions: https://snyk.slack.com/archives/C0135Q8LP61/p1689183248655649

Screenshots

Additional questions

@michelkaporin michelkaporin requested a review from a team as a code owner July 25, 2023 14:59
strassl-snyk
strassl-snyk approved these changes Jul 26, 2023
View reviewed changes
Copy link
Member

@strassl-snyk strassl-snyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM, Snyk seems unhappy though.

I do wonder whether it would be worthwhile to have an additional CI step that tests against latest. We could even run that on a schedule. This way we could reliably distinguish between a dependency breaking and PR changes breaking. I don't want to blow up the scope for this change though.

@michelkaporin
Copy link
Contributor Author

@strassl-snyk great point, added it not to regress on the “surprise” end that we had so far covered as part of the existing CI.

strassl-snyk
strassl-snyk requested changes Jul 26, 2023
View reviewed changes
.circleci/config.yml Outdated Show resolved Hide resolved
@michelkaporin michelkaporin merged commit 34ccb2a into master Jul 26, 2023
@michelkaporin michelkaporin deleted the feat/package-lock branch July 26, 2023 10:14
@snyksec
Copy link

snyksec commented Jul 26, 2023

🎉 This PR is included in version 4.20.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@strassl-snyk strassl-snyk mentioned this pull request Jul 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@strassl-snyk strassl-snyk strassl-snyk approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michelkaporin @snyksec @strassl-snyk