Just bump the release version to 2.0.2 with the fix is my recommendation. On 8/5/2019 6:51 AM, Furkan KAMACI wrote: > Hi All, > > One of the projects that I am mentoring has a situation needs to be > resolved. I've copied the case below. What do you think about it: > > "I want to resolve this soon. > > Again the issue is this: > > I pushed a bad package.json (with ‘files’ field) file to our v2.0.1 RC1. > This escaped testing prior to VOTE for v2.0.1 because I was only testing > with 'npm install' from repo (takes files direct from repo) rather than > ’npm pack’ + ’npm install’ (packages tarball as though it were pushed to > npm registry, then installs from tarball). After the VOTE passed, I > followed up on release procedures, and published v2.0.1 RC1 to npm as > flagon-userale v2.0.1. The resulting npm package in the registry did not > include critical artifacts and scripts (I tested again immediately after > publishing). > > There was no choice but to unpublish v2.0.1 from the npm registry. ‘latest’ > is v2.0.0. > > The issue at hand is that we cannot now republish to npm a version > 2.0.1—the registry is immutable. We have to publish a package with a > different version number. > > My question was whether there were any issues in bumping Apache Flagon > v2.0.1 to v2.0.2, release through Apache and push to npm as v2.0.2 to > synchronize semantic versioning between Apache dist/releases and npm.js. Or > whether this requires a new release VOTE. > > The alternatives are: > > 1. Proceed with release of v2.0.1 (adding fixes to package.json), then wait > until next version 2.0.2 to publish to npm—I don’t like this because 2.0.1 > is a security-related patch, which fixes over 200 low-depth dependency > vulnerabilities. v2.0.2 should be ready in a week or two, still we lose > consumer confidence everyday we don’t address these vulnerabilities. > > 2. Release an unofficial v2.0.2 on npm then synchronize Apache and npm > releases at v2.0.3—I don’t like this at all. > > I am looking for any thoughts on the cleanest way to do this and generally > what best practice is from an Apache voting perspective. > > I have corrected the flaw in the current 2.0.1, and tested using npm pack. > This has been pushed to a new RC branch: > https://github.com/apache/incubator-flagon-useralejs/tree/v2.0.1-RC2"; > > Kind Regards, > Furkan KAMACI >
-- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
