What
We recently noticed that the overrides in our package.json file weren't being respected in the lock file.
We removed these overrides, as they all relate to sassdoc, which is an internal build tool that we feel isn't a high risk vector.
However, @colinrotherham then pointed out that this is a long-running npm bug that's now affecting newer versions. The regressions have snuck in during routine npm jobs for unrelated work as we're now using npm 11.16.0, largely.
We have several options:
- Revert to an older version of
npm temporarily, reinstate the overrides, then add a unit test to ensure we don't accidentally add the regressions back when we move back to a recent npm version - this could be annoying, as we're likely to generate these fairly regularly.
- Ignore the sassdoc vulnerabilities and leave the overrides out - it's a devDependency and won't affect users
- Fork sassdoc - but we don't really want to maintain it
- Find an alternative to sassdoc
- Hope npm fix the bug
We also briefly talked about moving away from workspaces, as they seem to cause dependency management tools problems (dependabot is regularly stumped by our dependencies).
Who needs to work on this
Developer
Who needs to review this
Developer
Done when
What
We recently noticed that the overrides in our package.json file weren't being respected in the lock file.
We removed these overrides, as they all relate to sassdoc, which is an internal build tool that we feel isn't a high risk vector.
However, @colinrotherham then pointed out that this is a long-running npm bug that's now affecting newer versions. The regressions have snuck in during routine
npmjobs for unrelated work as we're now using npm 11.16.0, largely.We have several options:
npmtemporarily, reinstate the overrides, then add a unit test to ensure we don't accidentally add the regressions back when we move back to a recent npm version - this could be annoying, as we're likely to generate these fairly regularly.We also briefly talked about moving away from workspaces, as they seem to cause dependency management tools problems (dependabot is regularly stumped by our dependencies).
Who needs to work on this
Developer
Who needs to review this
Developer
Done when