Skip to content

Add undeclared dependencies to package.json #4762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 6, 2025
Merged

Add undeclared dependencies to package.json #4762

merged 5 commits into from
Oct 6, 2025
+291 −18

Conversation

@alanorth
Copy link
Contributor

@alanorth alanorth commented Oct 2, 2025
edited
Loading

Description

Add undeclared dependencies to package.json. I used knip to identify these, see this great blog post for the inspiration. All of these are used directly by our code, but were only available in our environment by chance as they are transitive dependencies of other packages we depend on.

Instructions for Reviewers

Please add a more detailed description of the changes made by your PR. At a minimum, providing a bulleted list of changes in your PR is helpful to reviewers.

List of changes in this PR:

  • First, add commander dependency to package.json
  • Second, add glob dependency to package.json and update syntax in for latest version
  • Third, add body-parser dependency to package.json
  • Fourth, add xhr2 dependency to package.json
  • Fifth, add md5 dependency to package.json (note: in the future this should be handled by Node's built-in crypto API)

Include guidance for how to test or review your PR. This may include: steps to reproduce a bug, screenshots or description of a new feature, or reasons behind specific changes.

Make sure the site builds in dev and prod mode. Make sure all tests in CI pass.

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You do not need to complete this checklist prior creating your PR (draft PRs are always welcome).
However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

  • My PR is created against the main branch of code (unless it is a backport or is fixing an issue specific to an older branch).
  • My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
  • My PR passes ESLint validation using npm run lint
  • My PR doesn't introduce circular dependencies (verified via npm run check-circ-deps)
  • My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
  • My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
  • My PR aligns with Accessibility guidelines if it makes changes to the user interface.
  • My PR uses i18n (internationalization) keys instead of hardcoded English text, to allow for translations.
  • My PR includes details on how to test it. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
  • If my PR includes new libraries/dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
  • If my PR includes new features or configurations, I've provided basic technical documentation in the PR itself.
  • If my PR fixes an issue ticket, I've linked them together.

@alanorth
Add commander dependency
e72b93b 
We use this explicitly in the following scripts:

- scripts/merge-i18n-files.ts
- scripts/sync-i18n-files.ts

Previously it was assumed that `commander` was available in the en-
vironment, which seems to have been provided by cypress.
@alanorth
Add glob dependency and update syntax
62f4cbd 
This undeclared dependency is used by lint/src/util/theme-support.ts.
@alanorth
Add undeclared body-parser dependency
803381c 
We explicitly use this in server.ts. It has always been available
because it is a dependency of express, and therefore a transitive
dependency of ours. Because we are using it directly in *our* code
we should declare the dependency.

I am using version ^1.20.3 because that is the one used by the
version of Express we are using.
@alanorth
Add undeclared xhr2 dependency
e359da5 
This used directly in src/app/core/services/server-xhr.service.ts.
We have been relying on this being available by virtue of it being
a transitive dependency of some other package.
@alanorth
Add undeclared dependency md5
54d44e6 
This is used directly in webpack/helpers.ts. It is a transitive de-
pendency of orejime but we are using it directly in our code so we
should declare it.
@alanorth alanorth added this to the 10.0 milestone Oct 2, 2025
@alanorth alanorth added dependencies Pull requests that update a dependency file 1 APPROVAL pull request only requires a single approval to merge labels Oct 2, 2025
@alanorth alanorth added the port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release label Oct 2, 2025
@tdonohue
Copy link
Member

tdonohue commented Oct 2, 2025

@alanorth : Did you (or could you) run npm run clean and npm install again using this PR? I believe this has the same issues in the package-lock.json as the previous PR. It has updated a larger number of unrelated packages in package-lock.json to include peer: true. I think those will all go away if you run a clean & reinstall all packages.

@tdonohue tdonohue self-requested a review October 2, 2025 13:53
@alanorth
Copy link
Contributor Author

alanorth commented Oct 2, 2025

Thanks @tdonohue. I think I figured it out. I was wondering why npm install was not deterministically updating the lock file. It shouldn't be necessary to run npm run clean.

The problem is that I have two npm versions in my PATH, one is version 10.9.1 and one is version 11.6.1. It seems the latter changed the lockfile format or at least the behavior. I have updated the PR.

tdonohue
tdonohue approved these changes Oct 6, 2025
View reviewed changes
Copy link
Member

@tdonohue tdonohue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks @alanorth ! This looks good to me. I gave it a quick test and didn't run into any issues

@github-project-automation github-project-automation bot moved this to 👍 Reviewer Approved in DSpace 10.0 Release Oct 6, 2025
@tdonohue tdonohue merged commit 36fea82 into DSpace:main Oct 6, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this from 👍 Reviewer Approved to ✅ Done in DSpace 10.0 Release Oct 6, 2025
@dspace-bot dspace-bot mentioned this pull request Oct 6, 2025
Merged
@dspace-bot
Copy link
Contributor

dspace-bot commented Oct 6, 2025

Successfully created backport PR for dspace-9_x:

@alexandrevryghem alexandrevryghem removed the port to dspace-9_x This PR needs to be ported to `dspace-9_x` branch for next bug-fix release label Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdonohue tdonohue tdonohue approved these changes

Assignees

@alanorth alanorth

Labels

1 APPROVAL pull request only requires a single approval to merge dependencies Pull requests that update a dependency file

Projects

DSpace 10.0 Release
Status: ✅ Done

Milestone

10.0

Development

Successfully merging this pull request may close these issues.

4 participants

@alanorth @tdonohue @dspace-bot @alexandrevryghem