Skip to content

Backport to 26.3: PackageLockJsonTest allow "npm:" alias transitive dependencies (#2995)#3095

Merged
labkey-martyp merged 1 commit into
release26.3-SNAPSHOTfrom
26.3_fb_package_lock_npm_alias
Jul 9, 2026
Merged

Backport to 26.3: PackageLockJsonTest allow "npm:" alias transitive dependencies (#2995)#3095
labkey-martyp merged 1 commit into
release26.3-SNAPSHOTfrom
26.3_fb_package_lock_npm_alias

Conversation

@labkey-martyp

Copy link
Copy Markdown
Contributor

Rationale

Cherry-pick of #2995 to release26.3-SNAPSHOT. Packages that declare npm-aliased dependencies (e.g. npm:react-is@^18.3.1) are legitimate registry references, but the pre-#2995 version of the test flags them as untrusted sources.

Related Pull Requests

Changes

  • Allow transitive dependency version specs with an npm: alias prefix instead of the hard-coded allow-list; still flags URL, file, git, and workspace specs.
  • Error messages report lock-file paths relative to server/modules.

@labkey-martyp labkey-martyp merged commit ce38480 into release26.3-SNAPSHOT Jul 9, 2026
8 checks passed
@labkey-martyp labkey-martyp deleted the 26.3_fb_package_lock_npm_alias branch July 9, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants