-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace --production
by --omit=dev
#1120
base: master
Are you sure you want to change the base?
Conversation
this parameter "--production" is still used by Node v14 . |
Node 14 (and 16) are already end-of-life though. They shouldn't be used any more, as they won't even get patched. IMO you should drop support for them, as in the worst case this enables stakeholders using those outdated versions. Even if Node 14 support has to be kept for some reason there should be a conditional to use the |
If you expect that repo to follow the most basic best current security practices or even SAP security policies, you will face disillusionment :) I've tried to push a bunch of security compliance PRs a year ago, most of them have been merged/taken over. Dunno why such a critical piece in the SAP software supply chain can be left with known critical CVEs such as https://security-tracker.debian.org/tracker/CVE-2024-2961 several months ... or years. |
MBT requires support for Node 14, and the Node 14 MBT Docker image is utilized by SAP Piper. Therefore, it cannot be replaced at this time. |
So critical components in the SAP software supply chain use unmaintained and cluttered by serious security flaws node.js version? |
Description
This PR replaces all occurrences of
--production
in annpm
context with--omit=dev
.Currently you get these warnings when deploying MTA projects with the standard
npm
builder:"npm warn config production Use
--omit=dev
instead"The
omit
option was introduced withnpm
8, so it's available in all supported versions.Checklist