Skip to content

chore(deps): add lockfile#5739

Open
yoshinorin wants to merge 4 commits intomasterfrom
chore/deps/update-and-pinned-deps
Open

chore(deps): add lockfile#5739
yoshinorin wants to merge 4 commits intomasterfrom
chore/deps/update-and-pinned-deps

Conversation

@yoshinorin
Copy link
Copy Markdown
Member

@yoshinorin yoshinorin commented Feb 8, 2026

What does it do?

As part of security measures:

  • Pin dependency versions
  • Add a lockfile

Screenshots

N/A

Pull request tasks

  • Add test cases for the changes.
  • Passed the CI test.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 8, 2026

How to test

git clone -b chore/deps/update-and-pinned-deps https://github.com/hexojs/hexo.git
cd hexo
npm install
npm test

@yoshinorin yoshinorin changed the title chore(deps): update, version pinning and add lockfile chore(deps): version pinning and add lockfile Feb 8, 2026
@yoshinorin yoshinorin force-pushed the chore/deps/update-and-pinned-deps branch from f2d494a to a225222 Compare February 8, 2026 16:02
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 8, 2026
edited
Loading

Dependency Review

The following issues were found:

  • ❌ 2 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
  • ⚠️ 157 packages with OpenSSF Scorecard issues.

View full job summary

This was referenced Mar 28, 2026
Draft
Open
@uiolee
Copy link
Copy Markdown
Member

uiolee commented Apr 8, 2026

Pin dependency versions is required?

@yoshinorin
Copy link
Copy Markdown
Member Author

yoshinorin commented Apr 10, 2026

@uiolee

Pin dependency versions is required?

I missed the library distribution perspective — pinning in package.json is unnecessary for a library. I'll revert it and keep only the lockfile.

@yoshinorin yoshinorin changed the title chore(deps): version pinning and add lockfile chore(deps): add lockfile Apr 11, 2026
@yoshinorin
Copy link
Copy Markdown
Member Author

yoshinorin commented Apr 11, 2026

@uiolee

I'll revert it and keep only the lockfile.

Done :)

SukkaW
SukkaW reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@SukkaW SukkaW left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try npm dedupe and npm update --depth=999 to see if we can update a few transitive deps and make CI happy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SukkaW SukkaW SukkaW left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yoshinorin @uiolee @SukkaW