We have enabled depedebot alert on our repository. But depedebot is not opening new PR for some of vulnebrites.
For example :
Below is one of alert I see
`
The latest possible version that can be installed is 2.4.2 because of the following conflicting dependencies:
zip-folder#1.0.0 requires lodash#~2.4.1 via archiver#0.11.0
zip-folder#1.0.0 requires lodash#~2.4.1 via a transitive dependency on zip-stream#0.4.1
The earliest fixed version is 4.17.21.
`
But Zip-folder is not updated on npm repo so far as fix on lodash was relased 9 year ago i.e;v 1.1.1 but loadash latest version 4.17.21 and it's using v 1.1.0
As zip depedency is transitive should I update v1.1.1 in my package.json manually. Will it override the vesion used by zip or there is some alternative of this approach?
Related
I recently upgraded to Scala 2.13.6 and I am seeing:
Error downloading org.scalameta:semanticdb-scalac_2.13.6:4.4.10
when I try to build.
I had a similar error when I upgraded to 2.13.5, but was able to add semanticdbVersion := "4.4.11" to build.sbt to get it to work.
This is not working this time.
You can check on the central Maven repository which versions of the project is available for which version of Scala:
https://mvnrepository.com/artifact/org.scalameta/semanticdb-scalac
The only version built for Scala 2.13.6 is 4.4.18 as of today.
This info is probably also available on their GitHub release note oages
I assume you are using the sbt-scalafix plugin in your build. This kind of error can happen if you update the scala version before you update the scalafix plugin to the latest version because the semanticdb version is usually set via this setting in your build.sbt (At least this is the official recommendation):
semanticdbVersion := scalafixSemanticdb.revision
In case of scala v2.13.6 I needed to bump the version of sbt-scalafix to v0.9.28 to fix the error you described.
I have quite a big Play/Akka project on Scala 2.11 with literally dozens of dependencies, for which we need to migrate to all new stack: newest Play, Akka, Scala etc.
But along the upgrade way, our team constantly facing unexpected issues after certain lib update that another lib has transitive dependency on it, which was evicted and suddenly starting to crash in runtime somewhere in internals. E.g. play-pac4j has transitive dependency on Play, which we forgot to upgrade properly after Play upgrade from 2.5 to 2.7.
Question: is there any sbt plugin, which can say in advance which dependencies I need to change to which version version, if I want to update dependency group % name from version-x to version-y?
I'm aware of sbt-dependency-graph plugin and we are using, but I want some automation. Meaning: sbt-dependency-graph has whatDependsOn command, but I don't want to manually verify which version is compatible with transitive dependency i want to go to.
Thank you.
I use storm-eventhub jar for my project using maven artifact as follows
<groupId>org.apache.storm</groupId>
<artifactId>storm-eventhubs</artifactId>
<version>2.0.0</version>
storm-eventhub internally uses azure-eventhub version 0.13.1 which is old one.
Hence we are forced to use the same version of azure-eventhub jar in our project as well.
Now the requirement is that we have to upgrade to azure-eventhub version 2.3.2 but storm-eventhub classes fail with NoClassDef errors since many classes refer to 0.13.1 version of azure-eventhub.
Should I customize the classes myself OR can I raise a request to apache community to upgrade the azure-eventhub version inside storm-eventhub library. If so, what would be the ETA approximately.
There is a PR open to upgrade the client version for storm-eventhubs at https://github.com/apache/storm/pull/3004. Unfortunately it looks like the author didn't have time to finish it. You are welcome to pick it up.
In Visual Studio 2017 Update 3 (15.3), with latest Nuget (4.3.0.4339), I am trying to upgrade Microsoft.Data.Edm from 5.6.4 --> 5.8.2.
Attempting to gather dependency information for package 'Microsoft.Data.Edm.5.8.2' with respect to project 'ConsoleApps\FeedProvider', targeting '.NETFramework,Version=v4.6.1'
Gathering dependency information took 1.98 sec
Attempting to resolve dependencies for package 'Microsoft.Data.Edm.5.8.2' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Data.Edm.5.8.2'
Resolved actions to install package 'Microsoft.Data.Edm.5.8.2'
Time Elapsed: 00:00:02.0136869
========== Finished ==========
On Nuget site Edm package does not list any dependencies. When confirmation window shows up it lists dependencies under installing section, which seem to be pulled from Microsoft.Data.Services.Client .NETStandard 1.1 list of dependencies:
I am clearly not using .NETStandard 1.1 for the project in question (nor any other project in this solution), as you can see if you scroll top log to the right with respect to project 'ConsoleApps\FeedProvider', targeting '.NETFramework,Version=v4.6.1'
Does anyone know what's up, or how to get around this problem?
Does anyone know what's up, or how to get around this problem?
Update answer according to the CrnaStena`s comment.
This package should be a problematic package. According to the Dependencies of the package Microsoft.Data.Services.Client:
We can notice that the dependencies Microsoft.Data.Edm has no framework specific. In this condition, NuGet will install the dependencies in the framework .NET Standard, Version=1.1. That why we got that confirmation window shows up the error dependencies.
In order to track this issue, I have create a new issue on GitHub:
NuGet install the wrong dependecies
To resolve this issue, I downloaded this package and add the dependence Microsoft.Data.Edm in to the .net framework 4.0 by NuGet Package Explorer.
Update:
Since there is a new version released:https://www.nuget.org/packages/Microsoft.Data.Services.Client/5.8.3
I have verified it, and it works fine.
Then save this package to the local feed, install the package from local feed.
For some reason sbt bails on .11.3 when working with the mongodb-record auth project, and it seems to me that's the only version i can download from the git site.
The idiomatic way is to specify sbt version in build.properties as
sbt.version=0.11.2
But since group id in 0.11.3 was changed from org.scala-tools.sbt to org.scala-sbt, sbt can't resolve older versions. But you still can manually download older version of launcher from typesafe repo.