chore(deps): migrate monorepo to Lerna v9 and npm workspaces#2906
chore(deps): migrate monorepo to Lerna v9 and npm workspaces#2906inlined wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request migrates the repository to npm workspaces, updates Lerna to version 9.0.7, and configures skipLibCheck in several TypeScript configurations. Feedback on these changes highlights two critical issues: first, the auth-mailchimp-sync/functions package was accidentally omitted from the new workspaces array in package.json; second, the generate-package-locks script needs to be updated with --workspaces=false to prevent npm from updating the root lockfile instead of generating individual workspace lockfiles.
| "firestore-shorten-urls-bitly/functions", | ||
| "firestore-send-email/functions", |
There was a problem hiding this comment.
The package "auth-mailchimp-sync/functions" was present in the previous lerna.json packages list but has been omitted from the new workspaces array in package.json. This will prevent npm workspaces and Lerna from managing, building, or testing this package.
Please add "auth-mailchimp-sync/functions" back to the workspaces list.
| "firestore-shorten-urls-bitly/functions", | |
| "firestore-send-email/functions", | |
| "firestore-shorten-urls-bitly/functions", | |
| "auth-mailchimp-sync/functions", | |
| "firestore-send-email/functions", |
| "test:watch": "concurrently \"npm run local:emulator\" \"jest --watch\"", | ||
| "test-coverage": "jest --coverage --detectOpenHandles --forceExit", | ||
| "postinstall": "if test \"$SKIP_POSTINSTALL\" != \"yes\" ; then lerna bootstrap --no-ci && lerna run --parallel clean && npm run build && npm run generate-package-locks ; fi", | ||
| "postinstall": "if test \"$SKIP_POSTINSTALL\" != \"yes\" ; then lerna run --parallel clean && npm run build && npm run generate-package-locks ; fi", |
There was a problem hiding this comment.
With the migration to npm workspaces, running npm i --package-lock-only inside a workspace package directory will traverse up to the root and update the root package-lock.json instead of generating a local package-lock.json inside each package. This will prevent the generate-package-locks script from generating the individual lockfiles required for Firebase Extensions packaging and deployment.
To fix this, the generate-package-locks script (on line 32) needs to be updated to disable workspaces during the lockfile generation:
"generate-package-locks": "lerna exec -- npm i --package-lock-only --workspaces=false"…lve vulnerabilities
c7c4838 to
144b96b
Compare
Security Audit & Remediation: extensions
A. Previous CVEs
tar(Severity: High)js-yaml(Severity: Moderate)tough-cookie(Severity: Moderate)lodash(Severity: High)B. Changes Made
package.jsonto force secure versions of transitive dependencies:tar:^7.5.19js-yaml:^4.1.2tough-cookie:^4.1.3lodash:^4.17.21C. Remaining CVEs
D. Introduced CVEs
E. Testing Strategy
npm run lintsuccessfully.