Move away from Shrinkwrap in @forge/cli

XMLWordPrintable

      Issue Summary

      @forge/cli currently uses Shrinkwrap and, as a result, users/devs are unable to update the dependency packages in the case if any of them needs a security patch due to discovered vulnerabilities.

      Please consider moving away from shrinkwrap in @forge/cli so that dependencies can be patched/updated in such cases.

      Workaround

      If you CI process is restrictive, then you can use the following available workarounds.

      1. change your CI process to have exceptions, and use those.
      2. since @forge/cli pins its own dependencies, it can be used via npx: npx --package @forge/cli@7.0.2 forge whoami.
      3. (unsupported) use yarn to install @forge/cli, as it ignores shrinkwrap.

            Assignee:
            Angelina Ignatova
            Reporter:
            Nashid Farhad
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: