scottyaslan commented on a change in pull request #4449: URL: https://github.com/apache/nifi/pull/4449#discussion_r465808576
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json ########## @@ -144,20 +144,20 @@ "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.0.4.tgz", "integrity": "sha1-AMLyOAGfJPbAoZSibUGhUw/+e8Q=", "requires": { - "d3-dispatch": "1.0.3", - "d3-drag": "1.2.1", - "d3-interpolate": "1.1.6", - "d3-selection": "1.3.0", - "d3-transition": "1.1.1" + "d3-dispatch": "1", Review comment: This change may appear strange but what it is saying is that "d3-brush" version 1.0.4 requires any minor or patch release of "d3-dispatch" version 1. This however does not change the version of "d3-dispatch" package that is installed during the build. That is defined here: https://github.com/apache/nifi/pull/4449/files#diff-9a4616626c8b30875e090d2d589ce665R173. This change is due to the upgrade of npm to version 6.10.0. Although this update produces a confusing diff in our package-lock.json this "new" approach seems correct to me. If you save the exact version of a direct dependency in our package.json (as we have done in this PR) the package-lock.json should not list that dependency's dependencies in exact versions. What if another direct dependencies also requires the same package as a transitive dependency but it lists a different exact minor version? That will produce warnings (or worse... errors!) during the `npm install` process. All that matters is that npm produces the same resulting node_modules every time - which it does. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org