I've been working on updates to a react app for a few hours today. Everything's been peachy except this shit job, this inane change demand list, my headache, my lack of quiet places to work, ... okay, so basically everything is terrible. But I've done lots of builds, and made lots of progress.

Then suddenly: my build script failed. 30 seconds after a successful build, with no (tooling) changes in between.

Reason? Incorrect version of Sass.
How? Fucking npm.

Isn't package-lock.json supposed to prevent this crap?

FAKDLKAUSUK.

This is new .-.
By the way it is best to not include package-lock.json right?

Me: Ok I've updated the docs, I'll open a PR with the changes

Maintainer: Looks great! Can you remove the changes to the package-lock.json? (I assume it got updated when you ran npm install to start the webserver)

Me: Ok sure, I'll update it soon

And this is where the troubles begin. The file was commited 2 commits ago, so I have to roll back to then. However, the remote repository has been updated since then, so I git fetch to keep up to date.

This makes the rollback a hell of a lot harder, so I run git log to see the history. I try a reset, but I went back to the wrong commit, and now a shit ton of files are out of sync.

I frantically google 'reset a git reset', and come across the reflog command. Running that fucks things up even worse, and now so much shit is out of sync that even git seems confused.

I try to fix the mess I've created, and so I git pull from my forked repo to get myself back to where I was. Git starts screaming at me about out of sync files, so I try to find a way to overwrite local changes from the origin.

And by this point, the only way to describe what the local repo looks like is a dumpster fire clusterfuck that was involved in a train wreck

I resolved the mess by just deleting the local copy and git cloning again from my fork.

I gotta learn how to use Git better

* package-lock.json * merge conflict

ME: fuck fuck fuck, C-s I-Search: HEAD
ME: this shit is much i can't handle it, fuck

ME: rm package-lock.json ; npm install

SourceTree fucking hangs on package-lock.json every single time 😡

Please share your thoughts on Dependabot security alerts on Github, more specifically for NPM packages in package-lock.json.

In 99% of cases I've found them useless as:
- package-lock.json is in the repo, but not in the NPM package (=no value to users)
- most of the updates relate to devDependencies (=no value to users)
- it clutters the git history (and changelog if it is auto-generated) with a batch of patch updates (updated depx to .1, .2, .3) while the only important thing in the next release notes is the delta (updated depx from .1 to .3) (=no value to users)

I'm fairly new in our team and yesterday I was going to work on an app I hadn't contributed to yet.

...except I couldn't get it to run on my machine. None of my co-workers knew why and I've spent the entire day trying to solve the problem.

Ultimately I found it. There was a stray package-lock.json that screwed up npm.

GitHub, your Copilot sucks, and so does Dependabot!

Dependabot opened 3 pull requests;
merging the first one caused conflicts in package.json and package-lock.json that must be resolved;
while trying to investigate further, the second pull request got closed as it suddenly seemed obsolete.
Dependabot: "Looks like these dependencies are no longer updatable, so this is no longer needed."

This kind of service generates so much noise and irrelevant alerts, it comes out of nowhere and there is no way to get rid of those bots once they invaded a repository. And they are so useless. A simple `npm outdated && npm upgrade` would have done better in 99% of the cases.

GitHub, your Copilot sucks, and so does Dependabot!

Oh how I hate package-lock.json when it comes to appvoyer, fucking building fails for no reason...

Thought the package-lock.json file wasn't working. Turns out it wasn't being copied into the Dockerfile.
:/