chore: add npm lockfile for demos/extractor#926
Conversation
- Remove package-lock.json from demos/extractor/.gitignore - Add generated package-lock.json (lockfileVersion 3) for demos/extractor Existing lockfiles already tracked: - go.sum (Go module checksums) - model-cli/Cargo.lock (Rust) - demos/embeddings/package-lock.json (npm)
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes package-lock.json from the .gitignore and adds the lockfile to the repository. A critical security and correctness issue was identified in the package-lock.json file, as it references non-existent versions of express, cors, and multer on the public npm registry, which will prevent reproducible builds and introduces supply chain vulnerabilities.
| "dependencies": { | ||
| "cors": "^2.8.5", | ||
| "express": "^4.18.2", | ||
| "multer": "2.1.1", | ||
| "pdf-data-extractor": "^1.0.1" | ||
| }, |
There was a problem hiding this comment.
This package-lock.json file appears to be invalid. It references several package versions that do not exist on the public npm registry (registry.npmjs.org). This is a critical issue as it will cause npm ci to fail, preventing reproducible builds, and poses a supply chain security risk.
Specifically:
expressis resolved to4.22.2, but this version does not exist. The^4.18.2range inpackage.jsonshould resolve to a valid version like4.19.2.corsis resolved to2.8.6, which was a problematic release and is no longer available.multeris pinned to2.1.1inpackage.json, but this version does not exist.
To fix this, please correct the dependencies in package.json (for example, you could use ^1.4.5-lts.1 for multer) and then regenerate the package-lock.json file by running npm install.
There was a problem hiding this comment.
package relased
express 4.22.2 11 days ago
cors 2.8.6 4 months ago
multer 2.1.1 3 months ago
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
3 participants
Add missing
package-lock.jsonfordemos/extractorand unblock it from.gitignore.What changed:
package-lock.jsonfromdemos/extractor/.gitignoredemos/extractor/package-lock.jsonvianpm install --package-lock-onlyExisting lockfiles already committed (no changes needed):
go.sum— Go module checksumsmodel-cli/Cargo.lock— Rustdemos/embeddings/package-lock.json— npmNo Python requirements files found; no Terraform .tf files found.