mcgilman commented on a change in pull request #4449:
URL: https://github.com/apache/nifi/pull/4449#discussion_r465896879
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/frontend/package-lock.json
##
@@ -144,20 +144,20 @@
"resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.0.4.tgz;,
"integrity": "sha1-AMLyOAGfJPbAoZSibUGhUw/+e8Q=",
"requires": {
-"d3-dispatch": "1.0.3",
-"d3-drag": "1.2.1",
-"d3-interpolate": "1.1.6",
-"d3-selection": "1.3.0",
-"d3-transition": "1.1.1"
+"d3-dispatch": "1",
Review comment:
@scottyaslan @sardell Thanks for the analysis here. If I've understood
these comments correctly, they explain the behavior for a direct dependency of
NiFi. They even touch on what happens is a conflict in versioned between a
direct dependency of NiFi that is also a transitive dependency.
But what is the behavior for something that is only a transitive dependency
and there is no direct dependency to compare against? If that `requires`
section does not contain a specific version, what ensures that when newer
versions become available they aren't used? Looking to confirm that we can
claim that we have repeatable builds.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
