slushjs / gulp-conflict Goto Github PK
View Code? Open in Web Editor NEWCheck if files in stream conflict with those in target dir, with option to use new, keep old, show diff, etc.
License: MIT License
Check if files in stream conflict with those in target dir, with option to use new, keep old, show diff, etc.
License: MIT License
Hi. Cool plugin, really like the effort.
This is me running a sample project for the first time:
I've read the other issues about the Keeping/Creating issue, but for me this is still not as clear as it can be.
This basically screams YOU HAVE A CONFLICT. But i suppose this green [conflict] is from gulp, right? Is behavior possible to modify?
I also have to say that 'Create' or 'Creating' is a better name imho. At least in the context when using it together with slush
I've noticed that my gulp stream actually fires the "end" event, even while this plugin is still prompting how I want to resolve conflicts. Is there any way to fix this?
Issue: There is no package-lock.json or npm-shrinkwrap.json file uploaded to the GitHub repository https://github.com/slushjs/gulp-conflict
Questions: We are conducting a research study on the lock files used in JS projects. We were curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Rationale: NPM introduced package-lock.json and npm-shrimpwrap.json files to capture the exact dependency tree installed at any point in time. When package.json defines the required dependencies and their respective versions using semantic versioning (e.g., “express”: “^4.16.4”), npm always downloads the latest version of packages to satisfy the specified version ranges (e.g., 4.17.1)[1]. If the latest version of any package keeps changing and has backward incompatibility issues with previous versions, the project may have an inconsistent running environment and get intermittent failures. In such scenarios, it can be very difficult for developers to debug programs and settle down the software environment [2].
List of Risks:
Suggested Solution: Please fixate the dependencies by either specifying the exact library version in the package.json file or by uploading the package-lock.json or npm-shrinkwrap.json file to GitHub.
References:
https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
https://blog.logrocket.com/why-you-should-use-package-lock-json/
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating The Reproducibility of NPM Packages. In2020 IEEE International
2021. Npm Security Best Practices. https://bytesafe.dev/posts/npm-security-best-practices/#no9-deterministic-results.
What do you recommend if I want to filter out existing files automatically, not CLI-based, but in a library. I'd like to use this plugin, but it 1. requires the console
object and 2. pollutes the CLI.
I am also using the mock-gulp-test module
. In situations when you are scaffolding files that are also the names of files in the scaffolding tool, like README.md and package.json, the confilct module prompts and interrupts the test, causing it to fail.
with conflict in the pipeline
[?] Replace README.md? (Ynaxdh) 0
0 passing (2s)
1 failing
1) slush-example default should make a readme:
Error: timeout of 2000ms exceeded. Ensure the done() callback is being called in this test.
at null.<anonymous> (E:\Users\<username>\Desktop\slush-example\node_modules\mocha\lib\runnable.js:170:19)
at Timer.listOnTimeout [as ontimeout] (timers.js:112:15)
stream.js:94
throw er; // Unhandled stream error in pipe.
^
Error: 1 test failed.
when I take it out everything is ok. This is only occuring on the unit tests, is there a way around this? I've tried doing something similar to what you are doing in this
but the prompts are still causing issues.
I would also add that the .on('stop')
did not work in my tests, and I had to resort to using on('task_stop')
. If this is the wrong module to be submitting this issue let me know.
I haven't gone into exhaustive detail in case this is something you've encountered before. However, if you'd like more detail, let me know and I can flesh it out more throughout. Thank you very much for your hard work on this module and your time.
Hi,
gulp-util
is deprecated. It should be replaced by dependencies on the individual components used by gulp-eslint
. The README lists alternatives for the different components.
See gulpjs/gulp#2065
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
debug <=2.6.8 || 3.0.0 - 3.0.1
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/534
Depends on vulnerable versions of ms
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/diff
node_modules/mocha/node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/inquirer
minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
ms <=0.7.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/46
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/ms
debug <=2.6.8 || 3.0.0 - 3.0.1
Depends on vulnerable versions of ms
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
11 vulnerabilities (2 low, 2 moderate, 5 high, 2 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.
It would be nice to have an silent mode.
Sometimes you come across needs where you always want to go with 'skip' option.
Like in my case, I am processing images, and each time I want to only process the image which does not exist in target/destination directory.
This is going to be run through a cron job, so I don't want any user interaction and always skip when conflict happens.
Title says it all I think? If I opt to replace my file, the next message says it is keeping that file. Seems a little confusing to me. Shouldn't it say "Replacing" instead?
I tried this
.pipe( conflict( './', {
defaultChoice: 'd'
} ) )
It failed. Can someone show some examples or point me to the docs that can show me how to deal with these issues? Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.