-
assigned issue to
Timo Sulg
Confusing packages like lodash.isplainobject with isplainobject
Issue #388
resolved
Hi guys,
Our project uses a yarn.lock file, which has entries like:
fined@^1.0.1:
version "1.0.2"
resolved "https://registry.yarnpkg.com/fined/-/fined-1.0.2.tgz#5b28424b760d7598960b7ef8480dff8ad3660e97"
dependencies:
expand-tilde "^1.2.1"
lodash.assignwith "^4.0.7"
lodash.isempty "^4.2.1"
lodash.isplainobject "^4.0.4"
lodash.isstring "^4.0.1"
lodash.pick "^4.2.1"
parse-filepath "^1.0.1"
VersionEye is getting confused with the lodash.isplainobject "^4.0.4" though, interpreting it as just isplainobject, thus on the following page, the locked version of 4.0.6 doesn't marry up with isplainobject 0.0.1 version:
https://www.versioneye.com/nodejs/isplainobject/4.0.6
The two packages: https://www.npmjs.com/package/isplainobject https://www.npmjs.com/package/lodash.isplainobject
This problem is causing many false positives, especially for licenses (which appear as UNKNOWN), drowning out true positives.
Please help!
Cheers!
Comments (7)
-
-
Hi @aidanlane. @timgluz will take a look to this soon and come back to you either today or tomorrow.
-
Account Deactivated reporter
Fantastic, thanks @reiz!
-
Done!
-
Account Deactivated reporter
Hi @timgluz, does that mean that it's fixed, deployed? I ask because I have re-parsed our projects, but we're still experiencing the issue.
-
- changed status to resolved
It's deployed to production now! If the issue still exists, please re open this ticket. Otherwise just confirm that it works for you.
-
Account Deactivated reporter
It works properly now, thank you greatly @timgluz and @reiz, we really appreciate it- awesome support!
- Log in to comment
