Commercial product leakage to package.json #13749
Comments
|
It seems that only |
|
Yes, there should be separate version jsons in the two jars. Earlier it did not matter that vaadin-core listed all the versions as only what was found by scanning for Technically it might be easier to name the files differently in the two jars so you can just fetch from the classpath using a unique name |
|
This is actually a critical bug. It's not uncommon that companies have license check in the build script, upon detecting commercial licenses, the build fails which makes Vaadin 23 not usable. And there is no workaround, as Vaadin always forces the commercial products, even the user only intends to use the free ones with vaadin-core. |
|
I can confirm this bug prevents me to update to v23. I do not have a license checker integrated in my build which prevents me from doing so, but it's the CVAL-3.0 itself, which I would violate!
|
|
I have created this PR to generate different json file for vaadin and vaadin-core and the json will be included into different jars. i think flow will need to do corresponding changes to make it include the correct json into the generated package.json files. |
Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies.
* fix: separate core and commercial components version files Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies.
* fix: separate core and commercial components version files Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies. (cherry picked from commit 23f5496)
* fix: separate core and commercial components version files (#14014) * fix: separate core and commercial components version files Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies. (cherry picked from commit 23f5496) * test: add tests for handling separate versions in NodeUpdater (#14079) Tests are added for changes done in PR #14014 (cherry picked from commit 7140d32) * chore: update log message after versions.json separation (#14083) (cherry picked from commit 1b86801) Co-authored-by: Zhe Sun <[email protected]>
* fix: separate core and commercial components version files (#14014) * fix: separate core and commercial components version files Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies. (cherry picked from commit 23f5496) * test: add tests for handling separate versions in NodeUpdater (#14079) Tests are added for changes done in PR #14014 (cherry picked from commit 7140d32) * chore: update log message after versions.json separation (#14083) (cherry picked from commit 1b86801) Co-authored-by: Zhe Sun <[email protected]>
…14104) * fix: separate core and commercial components version files (#14014) * fix: separate core and commercial components version files Fixes: #13749 Previously, the vaadin_versions.json contained both core and commercial components listed which led to including them all in package.json even if the user only used vaadin-core. Now platform generates vaadin-core-version.json in vaadin-core and vaadin-version.json to include commercial components in vaadin artifact. This commit will adopt having separate files while generating package.json and pinning the platform dependencies. (cherry picked from commit 23f5496) * test: add tests for handling separate versions in NodeUpdater (#14079) Tests are added for changes done in PR #14014 (cherry picked from commit 7140d32) * chore: update log message after versions.json separation (#14083) (cherry picked from commit 1b86801) Co-authored-by: Zhe Sun <[email protected]> Co-authored-by: Soroosh Taefi <[email protected]>
|
This ticket/PR has been released with Vaadin 23.1.3. |
|
This ticket/PR has been released with Vaadin 23.2.0. |
Description of the bug
Currently commercial projects like
vaadin-grid-proare added to the package.json and package-lock.json even tho onlyvaadin-coreis used as dependency.Expected behavior
Not used dependencies / commercial products are NOT added into the package.json or package-lock.json.
Minimal reproducible example
vaadindependency withvaadin-coreVersions
The text was updated successfully, but these errors were encountered: