Remove package-lock.json

[samzong]

Upgrade the dependencies in node_modules to enhance the security, functionality, stability, and maintainability of the application. Rectify any known security issues or vulnerabilities.

Signed-off-by: samzong.lu [email protected]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

[samzong]

/assign @RainbowMango

[RainbowMango]

Thanks @samzong :)

@Arhell, can you help to take a look?

[Arhell]

@RainbowMango
I just checked, no updates needed
There is only
react ^17.0.2 → ^18.2.0
react-dom ^17.0.2 → ^18.2.0
but you do not need to update them because docusaurus does not support this version yet

I'm assuming the dependencies are due to a different OS version.

[RainbowMango]

but you do not need to update them because docusaurus does not support this version yet

How do you know? I'm curious how the deploy-preview works. Does that mean docusaurus support this version?

[Arhell]

netlify

I tried updating, but it didn't work for me personally (local). I haven't tested it with netlify.

Well, in general, I would remove the .lock file if possible.
But if it works, then you can merge

[RainbowMango]

Well, in general, I would remove the .lock file if possible.

Do you mean you need to remove the .lock file on your local machine? Otherwise, you can't launch the website?

[Arhell]

No, remove it from the repository and put it in gitignore.
And update only what is in package.json

If possible, of course.
For I am almost sure that the dependencies in the .lock file will be different, depending on the OS (win , macOS , linux ) and the version of node
For example, I use 16 and others may have already switched to 18 or use old 12.

[samzong]

No, remove it from the repository and put it in gitignore. And update only what is in package.json

If possible, of course. For I am almost sure that the dependencies in the .lock file will be different, depending on the OS (win , macOS , linux ) and the version of node For example, I use 16 and others may have already switched to 18 or use old 12.

@Arhell This is a better way, let me update the content here.

[Arhell]

@samzong thanks
/lgtm

[RainbowMango]

I still don't get why we are going to remove the package-lock.json. Forgive me I'm not familiar with Node and NPM.

I think the package-lock.json is more like the go.sum in Go project which records all dependencies, according to this package-lock.json description it is intended to be committed into source repositories.

[karmada-bot]

New changes are detected. LGTM label has been removed.

[samzong]

I still don't get why we are going to remove the package-lock.json. Forgive me I'm not familiar with Node and NPM.

I think the package-lock.json is more like the go.sum in Go project which records all dependencies, according to this package-lock.json description it is intended to be committed into source repositories.

yes, your are right, package-lock.json like go.sum, after consulting with my R&D peers

https://medium.com/helpshift-engineering/package-lock-json-the-complete-guide-2ae40175ebdd

package-lock.json is a lockfile that contains information about the dependencies/packages with their exact version numbers (*important) that were installed for a node.js project.

I believe it's imperative that we specify the range of node versions or identify an alternative approach to alleviate document writers' concerns surrounding node and its dependencies.

• add engines to package.json， it will prompt the user for the version to use during installation.
• add .nvmrc is a file used to specify which version of Node.js to use with the Node Version Manager (NVM). It is a text file containing a version number, such as 12.18.1, which NVM will use when installing or using Node.js.

@Arhell @RainbowMango pls check again. it's will be more friendly

[RainbowMango]

Can you guys remind me what's the benefit of this patch?

Upgrade the dependencies in node_modules to enhance the security, functionality, stability, and maintainability of the application. Rectify any known security issues or vulnerabilities.

From the PR description, I can see this aims to enhance security, functionality, stability, and maintainability. I wonder how it works.

We do have some dependencies that need to be updated for security warnings, can this patch fix these issues?

[samzong]

Can you guys remind me what's the benefit of this patch?

Upgrade the dependencies in node_modules to enhance the security, functionality, stability, and maintainability of the application. Rectify any known security issues or vulnerabilities.

From the PR description, I can see this aims to enhance security, functionality, stability, and maintainability. I wonder how it works.

We do have some dependencies that need to be updated for security warnings, can this patch fix these issues?

First, This PR, only include restricted the version of Node to ensure a safe range for users. Then, we upgraded dependencies to resolve the dependencies issue.

It's worth noting that not all dependencies provided by GitHub can be updated, as we need to consider compatibility within the application. Since we are using Docusaurus, we need to check if Docusaurus has already addressed this issue before updating its version.

I will try to contribute the fix version to the Docusaurus repository, which will help ensure that the issue is resolved not only for our project but also for the broader community.

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment