Enhancement Request: Pin aemsync and less-tree to versioned packages

[jstirnaman]

Aemfed has 2 dependencies (aemsync, and less-tree) that point to github urls of tarball files for a specific commit. Since these are compiled commits and not a specific version, our corporate NPM registry intake has no way of scanning the dependency for vulnerabilities and therefore cannot know for certain if they are safe to use.

[skbhardwaj]

In our project we are facing similar issue, hence the deployment is failing, as the deployment agency has added a check to allow "All dependencies from NPM Registry only".
They also asked us to remove the package and use some other alternative which doesn't have Github dependencies.

@abmaonline - could you please suggest as to what can be done?

Thanks,

[ahmed-musallam]

@abmaonline this is actually a concerning issue. Any reason for the use of github URLs as opposed to published NPM modules?

@skbhardwaj aemfed is a development tool only, this means you can remove it from your package.json and install it globally on your local machine: npm install -g aemfed and then use it only locally on your developer machine without it ever making it to your CI/CD build.

[jstirnaman]

@ahmed-musallam Problems with global install:

• doesn't solve the core issue - our internal repo prevents me from depositing it without a published build.
• doesn't scale easily for teams where we'd prefer configuration as code.

[ahmed-musallam]

Yes. I suggested it as a work-around :)

[abmaonline]

These tarballs start to create a lot of issues. Let me check if I can merge the changes back into the original projects or otherwise publish them as custom npm packages.

[abmaonline]

Just published a release candidate with scoped npm packages instead of tarballs for the customized modules. Maybe you could give it a try and let me know if it solves the issue?

Please use npm install aemfed@next to install the latest release candidate (or npm install [email protected] when you want to be explicit).