v3 tracking

[naugtur]

Remaining open issues before v3 final release

• Doesn't work with npm@7 and above [work almost finished, see @next tag on npm] #34
• Make 'resolve-audit' exit with a non-zero exit code if run from a CI server #25
• --audit-level pass-through does not behave as expected #22
• address the missing fix functionality
• update dependencies

[joebowbeer]

Any update?

npm7 is no longer maintained, right? The last release (npm v7.24.2) was 1 year ago.

Given that Node 16 enters maintenance phase in 60 days, and even it ships with npm v8, is there any need to support npm v7?

What else is blocking this release?

[naugtur]

It's about npm7 and above.
I'm waiting with the release to finish a bunch of minor features. Main npm7+ support is done.
I should probably stop waiting...

I'm a bit swamped with lots of other stuff though and help from community has run out, so need to push it over the line myself now.

[joebowbeer]

Can v3 be released without #25 ?

It looks like #25 is a nice-to-have enhancement and not a strict requirement for v3

[naugtur]

It's a breaking change so I kept it in scope for v3.
Sorry this is taking so long. It's a "too much life in my life to do opensource outside work" situation. (Nothing compared to zloirock tho)
Thanks for not giving up on audit resolver!

[naugtur]

I published npm-audit-resolver@next v3.0.0-8 and it's a release candidate to be the official 3.0.

Please let me know if it works for you!

[naugtur]

Oh, I should probably update dependencies to latest while I'm at it.

[jesse-mm]

Would you have a rough ETA on publishing this release ?

[naugtur]

Try now :)

latest is 3.0.0-RC.0 now and the RC part is there just for me to not feel like I need to wait for more testing :D

[jesse-mm]

Nice! Great work :) 🎉

[aoberoi]

any blockers to releasing as a stable version (as opposed to RC)?

[naugtur]

I was hoping to get some feedback before I do 😅

…

On Sat, Dec 9, 2023, 01:28 Ankur Oberoi ***@***.***> wrote: any blockers to releasing as a stable version (as opposed to RC)? — Reply to this email directly, view it on GitHub <#60 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD4LP2YVO5MLHK25LN6TV3YIOWDPAVCNFSM5YVLKVE2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBUHAYDAMZYGU4A> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[Fryuni]

Oh, we've been using 3.0.0-rc.0 since it was released and we've had zero problems so far. Resolution is working perfectly for all our use cases and all the vulnerability reports we got from our dependencies, multiple times we ignored them temporarily, others we resolved immediately, and others we ignored permanently with a task on our backlog to take a look.

Both commands have behaved exactly as we expected. So much so that I completely forgot that it was on our list of packages under test to give feedback 😅. But I guess that in itself is a feedback, it works so well that you forget it is there.