mcgilman commented on a change in pull request #4449: URL: https://github.com/apache/nifi/pull/4449#discussion_r465896879
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json ########## @@ -144,20 +144,20 @@ "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.0.4.tgz", "integrity": "sha1-AMLyOAGfJPbAoZSibUGhUw/+e8Q=", "requires": { - "d3-dispatch": "1.0.3", - "d3-drag": "1.2.1", - "d3-interpolate": "1.1.6", - "d3-selection": "1.3.0", - "d3-transition": "1.1.1" + "d3-dispatch": "1", Review comment: @scottyaslan @sardell Thanks for the analysis here. If I've understood these comments correctly, they explain the behavior for a direct dependency of NiFi. They even touch on what happens is a conflict in versioned between a direct dependency of NiFi that is also a transitive dependency. But what is the behavior for something that is only a transitive dependency and there is no direct dependency to compare against? If that `requires` section does not contain a specific version, what ensures that when newer versions become available they aren't used? Looking to confirm that we can claim that we have repeatable builds. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org