e22b976180
Some of the assets use tools sourced from the npm software registry. Previously, the version of the tools used was not controlled. This was problematic because: - A different version of the tool may be used on the contributor's machine than on the CI runner, resulting in confusing failures. - The project is immediately subject to disruption or breakage resulting from a release of the tool. --- These tools were installed via either of the following methods: `npx <pkg>` This approach has the following behaviors of interest: https://docs.npmjs.com/cli/v8/commands/npx#description > If any requested packages are not present in the local project dependencies, then they are installed to a folder in the npm cache, which is added to the PATH environment variable in the executed process. > Package names provided without a specifier will be matched with whatever version exists in the local project. Package names with a specifier will only be considered a match if they have the exact same name and version as the local dependency. This means that the version used was: 1. Whatever happens to be present in the local cache 2. The latest available version if it is not already present `npm install --global <pkg>` The latest available version of the package is used. --- The new approach is to specify the version of the tools via the standard npm metadata files (package.json + package-lock.json). This approach was chosen over the `npx <pkg>@<version>` alternative for the following reasons: - Enables automated updates via Dependabot PRs - Enables automated vulnerability alerts - Separates dependency management from the asset contents (i.e., no need to mess with the taskfile or workflow on every update) - Matches how we are already managing Python dependencies (pyproject.toml + poetry.lock)
51 lines
1.3 KiB
JSON
51 lines
1.3 KiB
JSON
{
|
|
"name": "setup-task",
|
|
"private": true,
|
|
"description": "Setup Task action",
|
|
"main": "lib/main.js",
|
|
"repository": {
|
|
"type": "git",
|
|
"url": "git+https://github.com/arduino/setup-task.git"
|
|
},
|
|
"keywords": [
|
|
"actions",
|
|
"taskfile",
|
|
"task",
|
|
"setup"
|
|
],
|
|
"author": "Arduino",
|
|
"license": "GPL-3.0",
|
|
"dependencies": {
|
|
"@actions/core": "^1.10.0",
|
|
"@actions/tool-cache": "^2.0.1",
|
|
"semver": "^7.3.8",
|
|
"typed-rest-client": "^1.8.9"
|
|
},
|
|
"devDependencies": {
|
|
"@actions/io": "^1.1.2",
|
|
"@types/jest": "^28.1.8",
|
|
"@types/node": "^16.18.9",
|
|
"@types/semver": "^7.3.13",
|
|
"@typescript-eslint/eslint-plugin": "^5.46.1",
|
|
"@typescript-eslint/parser": "^5.46.1",
|
|
"@vercel/ncc": "^0.36.0",
|
|
"ajv-cli": "^5.0.0",
|
|
"ajv-formats": "^2.1.1",
|
|
"eslint": "^8.29.0",
|
|
"eslint-config-airbnb-base": "^15.0.0",
|
|
"eslint-config-airbnb-typescript": "^17.0.0",
|
|
"eslint-config-prettier": "^8.5.0",
|
|
"eslint-plugin-import": "^2.26.0",
|
|
"github-label-sync": "2.2.0",
|
|
"jest": "^28.1.3",
|
|
"jest-circus": "^29.3.1",
|
|
"markdown-link-check": "^3.10.3",
|
|
"markdownlint-cli": "^0.32.2",
|
|
"nock": "^13.2.9",
|
|
"prettier": "^2.8.1",
|
|
"strip-json-comments-cli": "^2.0.2",
|
|
"ts-jest": "^28.0.8",
|
|
"typescript": "^4.9.4"
|
|
}
|
|
}
|