slushjs / gulp-conflict Goto Github PK

Hi. Cool plugin, really like the effort.

This is me running a sample project for the first time:
I've read the other issues about the Keeping/Creating issue, but for me this is still not as clear as it can be.

This basically screams YOU HAVE A CONFLICT. But i suppose this green [conflict] is from gulp, right? Is behavior possible to modify?

I also have to say that 'Create' or 'Creating' is a better name imho. At least in the context when using it together with slush

I've noticed that my gulp stream actually fires the "end" event, even while this plugin is still prompting how I want to resolve conflicts. Is there any way to fix this?

Issue: There is no package-lock.json or npm-shrinkwrap.json file uploaded to the GitHub repository https://github.com/slushjs/gulp-conflict

Questions: We are conducting a research study on the lock files used in JS projects. We were curious:

1. Will you upload any lock files to GitHub as recommended above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Rationale: NPM introduced package-lock.json and npm-shrimpwrap.json files to capture the exact dependency tree installed at any point in time. When package.json defines the required dependencies and their respective versions using semantic versioning (e.g., “express”: “^4.16.4”), npm always downloads the latest version of packages to satisfy the specified version ranges (e.g., 4.17.1)[1]. If the latest version of any package keeps changing and has backward incompatibility issues with previous versions, the project may have an inconsistent running environment and get intermittent failures. In such scenarios, it can be very difficult for developers to debug programs and settle down the software environment [2].

List of Risks:

• Nondeterministic package downloads and installations across different environments [3]
• Produce irreproducible builds [4]
• Inconsistent results of program execution [5]

Suggested Solution: Please fixate the dependencies by either specifying the exact library version in the package.json file or by uploading the package-lock.json or npm-shrinkwrap.json file to GitHub.

References:
https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
https://blog.logrocket.com/why-you-should-use-package-lock-json/
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating The Reproducibility of NPM Packages. In2020 IEEE International
2021. Npm Security Best Practices. https://bytesafe.dev/posts/npm-security-best-practices/#no9-deterministic-results.

What do you recommend if I want to filter out existing files automatically, not CLI-based, but in a library. I'd like to use this plugin, but it 1. requires the console object and 2. pollutes the CLI.

I am also using the mock-gulp-test module. In situations when you are scaffolding files that are also the names of files in the scaffolding tool, like README.md and package.json, the confilct module prompts and interrupts the test, causing it to fail.

with conflict in the pipeline

[?] Replace README.md? (Ynaxdh)  0

  0 passing (2s)
  1 failing

  1) slush-example default should make a readme:
     Error: timeout of 2000ms exceeded. Ensure the done() callback is being called in this test.
      at null.<anonymous> (E:\Users\<username>\Desktop\slush-example\node_modules\mocha\lib\runnable.js:170:19)
      at Timer.listOnTimeout [as ontimeout] (timers.js:112:15)

stream.js:94
      throw er; // Unhandled stream error in pipe.
            ^
Error: 1 test failed.

when I take it out everything is ok. This is only occuring on the unit tests, is there a way around this? I've tried doing something similar to what you are doing in this

but the prompts are still causing issues.

I would also add that the .on('stop') did not work in my tests, and I had to resort to using on('task_stop'). If this is the wrong module to be submitting this issue let me know.

I haven't gone into exhaustive detail in case this is something you've encountered before. However, if you'd like more detail, let me know and I can flesh it out more throughout. Thank you very much for your hard work on this module and your time.

Hi,
gulp-util is deprecated. It should be replaced by dependencies on the individual components used by gulp-eslint. The README lists alternatives for the different components.

See gulpjs/gulp#2065

Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:

npm audit report

debug <=2.6.8 || 3.0.0 - 3.0.1
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/534
Depends on vulnerable versions of ms
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/diff
node_modules/mocha/node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/inquirer

minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

ms <=0.7.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/46
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/ms
debug <=2.6.8 || 3.0.0 - 3.0.1
Depends on vulnerable versions of ms
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

11 vulnerabilities (2 low, 2 moderate, 5 high, 2 critical)

To address all issues (including breaking changes), run:
npm audit fix --force

Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:

1. Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].

Steps to reproduce:

• Go to the root folder of the project where the package.json file located
• Execute “npm audit”
• Look at the list of vulnerabilities reported

Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.

References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.

It would be nice to have an silent mode.
Sometimes you come across needs where you always want to go with 'skip' option.

Like in my case, I am processing images, and each time I want to only process the image which does not exist in target/destination directory.
This is going to be run through a cron job, so I don't want any user interaction and always skip when conflict happens.

Title says it all I think? If I opt to replace my file, the next message says it is keeping that file. Seems a little confusing to me. Shouldn't it say "Replacing" instead?

• How does one configure the log messages?
• How does one change the default action?

I tried this

.pipe( conflict( './', {
                    defaultChoice: 'd'
                } ) )

It failed. Can someone show some examples or point me to the docs that can show me how to deal with these issues? Thanks