From f22d3d1d65bba415ca3415eb526123b301ecdd64 Mon Sep 17 00:00:00 2001 From: Jose Bolos Date: Thu, 1 Apr 2021 17:04:55 +0200 Subject: [PATCH] Force project to use v2.4 of HTML_CodeSniffer (#14) A side-effect of NPM using the `package-log.json` file is that this file is _not_ published with an NPM package, which means that, when NPM tries to resolve dependencies on an npm install it will happily install newer versions of dependencies as long as they fulfil whatever conditions specified in the `package.json` file (not the lockfile). For example, * `pa11y@5.3.0`: * requires `pa11y-runner-htmlcs@^1.2.0` * has `pa11y-runner-htmlcs@1.2.0` in its package-lock.json * `pa11y-runner-htmlcs@1.2.0`: * requires `html_codesniffer@^2.4.1` * has `html_codesniffer@2.4.1` in its package-lock.json Running: ```sh npm install --global pa11y@5.3.0 ``` ...will result in the installation of pa11y@5.3.0, which will pull pa11y-runner-htmlcs@1.2.0 (intended, although by accident) and html_codesniffer@2.5.1 (unintended). HTML_CS 2.5 contains new WCAG 2.1 rules that we've decided to keep for pa11y v6 as to try to ensure that we don't break people's workflows. This commit replaces `^` with `~` in the package.json, pinning htmlcs to version 2.4.x --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index f38ba27..b34b4f8 100644 --- a/package.json +++ b/package.json @@ -33,6 +33,6 @@ "test": "make ci" }, "dependencies": { - "html_codesniffer": "^2.4.1" + "html_codesniffer": "~2.4.1" } }