►
A
B
B
So
that's
one
thing
it's
the
under
review,
but
it's
the
the
update
of
the
schema
is
unstabilized.
So
I
I
think
we're
good
relation
to
that.
I've
got
a
magic
was
targeting
the
common
library
to
generate
the
the
new
fields
again
to
to
add
the
path
to
the
common
library
and
I'm
working,
I'm
still
working
on
on
the
gymnasium
analyzer
to
generate
a
path.
B
B
Maybe
so
initially
I
was
supposed
to
to
generate
the
graph,
for
I
mean
the
path,
that's
the
graph
for
beyond
the
plug
files,
but
I
changed
my
mind
because
there
were
the
possibility
that
I
got
it
wrong
when
passing
the
fight.
It's
not
so
the
underclock
is
similar
to
yemo,
but
it's
not,
which
makes
it
tricky,
and
so
I
I
focused
on
nugget
instead,
because
the
syntax
is
it's
just
json.
So
it's
passing
that
is
reliable
and
that's
the
graph.
The
log
file
itself
is
pretty
straightforward.
B
So
when
I'm
done
with
these
three
magic
quests
again
one
one
targeting
that
the
schema
one
targeting
command
and
the
other
one.
So
these
two
in
the
review
and
the
last
one
I'm
still
working
on
the
last
one
for
the
gymnastic
analyzer,
then
we'll
have
the
path
to
nuket
dependencies
and
and
then
I
can
move
on
to
other
lock
files
package
managers
it.
It's
then
it's
kind
of
easy.
Once
we've
got
the
framework,
the
interfaces
and
everything
and
first
of
all
the
the
schema.
B
B
We've
discussed
that
in
the
past,
not
the
past
in
the
past,
and
I
can
comment.
I
can
elaborate
on
that.
If
you
want
and
also
it's
it's
not
just
one
property,
it's
a
set
of
properties.
We
need
that
work
together
so
that
we
can
process
the
data
both
in
the
back
end.
I
mean
the
back
end
eventually
in
the
front
end,
and
that's
it-
I've
been
talking
for
a
while.
A
Yeah,
I've
I've
wrote
a
few
questions,
so
look
we
can
discuss
later
so,
like
updates
for
myself,
so
my
task
is
just
like
into
parts.
The
first
one
is
to
parse
report
and
the
second
one
show
this
into
a
response
in
click
and
show
it
to
front
end.
So
the
second
part
is
done
I've
we
had
the
schema
like
some
example
in
the
issue,
so
I've
like
we
use
this
and
I've
created
serializers
to
show
this
information,
but
I
don't
have
a
parser
and
like
if
we
have
analyzed
schema
for
the
report.
C
D
B
E
B
B
E
E
E
B
E
A
A
But
like
like
you're
saying
that
you
change
their
app
like
the
names
in
the
api
pillow
payload
from
the
beginner
from
the
front
end
right,
yep,
okay
and
we're
like,
because
we
actually
like
in
the
beginning
when
we
start
working
on
this
issue.
We
had
an
example
that
is
structured
like
in
the
entire.
E
B
E
E
E
B
Yeah
yeah,
it
is
two
things
I'd
like
to
say
here.
I
guess
there
was
misunderstanding.
It
was
just
a
proposal
at
first
so
yeah.
I
guess
there
was
communication
issue.
I
don't
know
how
you
could
we
could
have
done
better,
but
here
we
are,
and
that's
one
thing
second
out
of
three:
oh
I've.
This
I've
suggested
that
changed
because
that
tensioner,
because
it's
because
the
the
schema,
the
reaper
schema,
has
changed
and
I
tried
to
keep
to
keep
it
consistent
with
with
the
report
report.
Syntax.
B
That
being
said
in
the
end,
it
doesn't
really
matter
if
you're
happy
with,
if
you're,
both
happy
with
what
it
was
before,
ancestors
and
and
top
level
like.
I
don't.
It
doesn't
really
matter
to
me.
It's
just
that
there
would
be
a
significant
discrepancy
between
what
we
have
in
the
in
the
report
and
what
we
have
served
to
the
front
end,
which
is
fine.
So
it's
up
to
you
already.
A
No,
I
agree
that,
like
we
are
still
in
progress,
so
everything
like
this
began
to
image
requests.
It's
just
an
interrupt
mode
right
now
and
like
if
we
can
like
have
everything
synchro
like
have
synchronous
names
everywhere.
So
it's
better.
So,
let's,
let's
just
update,
so
it's
not
like
just
that.
I
guess
it
will
be
just
five
minutes
change.
E
E
Yeah
I
mean,
like
I,
mean
yeah,
I'm
agreeing
to
your
point
that
yeah
we
never
like
put
a
lock
on
it
like
this.
Is
the
final
schema
so
yeah
I
was.
I
was
expecting
those
changes,
so
I
never
closed
the
front
end
issue
because
of
that
and
yeah,
and
I
also
agree
like
that.
We
know
that
these
changes,
because
these
are
more
readable
and
and
it's
good
to
have
the
same
ski
schema
for
front
and
back
and
and
back
in
and
the
the
thing
you
are
working
on.
B
B
B
Again,
no
that's
the
other
way
around
when
listing
valencies
volunteers
and
it's
kind
of
complicated,
like
maybe
it's.
This
excessively
complicated
we've
got
the
location
within
the
location.
We've
got
the
dependency,
and-
and
here
we've
got
we-
we
skip
this
level,
which
is
fine.
I
like
it.
Actually
it's
it's
very
readable,
but
just
I
wanted
to
pinpoint
this
difference
between
what
we
have
in
the
report
and
what
we
have
well,
it's
returned
by
the
api
and
was
wondering
about
this
difference,
but
I'm
fine
with
it
really,
but.
A
A
A
B
D
A
Yeah,
but
if
we
can
like,
if
we
can
like
used
to
write
names
right
now,
it's
better
to
do
it
similar
names,
yeah
sure
yeah,
because
we'll
will
there
is
a
chance
we
want
to
get
in
the
next
months.
For
example,
this
is
your
name
and
it
will
be
last
forever
and
but
look
at
this
dependency
path
like
for
me.
It
looks
more
like
like
the
fancy
graph,
but
this
one
doesn't
actually
like
actually
have
a
question
about
it.
B
No,
I'm
saying
I'm
just
noting
saying:
no
because
not
oh,
it's
not
a
graph,
it's
a
one
possible
path,
and
I
remember
having
long
discussions
about
that
with
kya
and
mark,
but
you
two
were
not
part
of
the
discussions,
and
so
maybe
we
need
an
intro
to
this
feature
yeah.
So
what
about
an
intro
to
to
this
feature
from
I
mean
going
back
to
the
concepts
so
to
speak?
Is
that
something
yeah
need
for
that
yeah?
I
guess
this
is
what
what
was
your
your
your
question,
your
I
mean
your
request
yesterday.
E
B
E
B
B
You're,
I
mean
it's
fine,
I'm
fine
with
that,
but
it's
not
yeah.
The
easiest
easiest
scenario
so,
but
one
thing
we
can
say
here
is
that
okay,
we've
got
two
files,
one
identify
you
edit
by
I
mean
new
as
a
developer,
and
that
is
package.json
and
the
other
one,
the
log
file
that
is
generated
the
so
from
now
on.
No
I'm
sorry,
I'm
going
to
say
dependency
file
as
opposed
to
log
file.
B
E
B
B
B
B
B
B
A
B
Of
these
transients
indirect,
all
transitive,
this
is
a
dependency
that
is
not
directly
project
dependency,
but
something
your
project
depends
on
because
it
depends
on
on
the
package
that
depends.
That
depends
depends
on
this.
Okay,
as
so,
it's
either
direct
or
not
like
can't
debuff
direct,
indirect
okay.
Does
that
make
sense.
D
A
A
A
B
E
B
B
E
B
B
You
know
what
to
do
because
you
were.
You
were
the
one
adding
this
dependency
to
your
project
in
the
first
place
or
one
another
developers
of
you
of
your
team.
But
it's
something
you
can
easily
it's
actionable!
That's
my
point!
You
can
make
sense
of
that
one
and
it's
actionable
because
you
know
it's
it's
there,
it's
in
your
diploma!
Okay!
B
E
B
B
E
B
Precisely
so
yeah
we
know
it's
phenomenal,
but
as
a
user
as
a
developer,
it
doesn't
make
sense
to
me,
because
I
know
I
don't
know,
I
don't
even
know.
Actually,
maybe
I
didn't
even
know
it
was
there
like.
Oh
slash.
What
is
that
yeah
and
I
want
I
want
answers,
because
if
I
don't,
if
I
don't
know
where
it
comes
from,
so
to
speak,
how
it
relates
to
the
top
level
dependencies
diary
dependencies?
I
can't
even
I
don't
even
know
what
to
update
like.
B
B
Well,
first,
let's
consider
one
version
of
slash
because
actually,
since
we
are
using
yarn,
you
may
have
multiple
versions
of
slash
in
your
project
but
say:
let's
consider
one
version
of
slash
like
slash:
can
you
go
to
slash
yeah,
slash
one
zero
zero
and
this
one
is
affected.
Somehow
it's,
it's
might
very
well,
be
it's
it's
possible
that
we've
got
this
dependency
slash
because
of
multiple
direct
dependencies
of
your
project.
B
E
B
B
There's
a
web
of
connections
between
your
project
and
any
evil
dependency
and
there's
more
than
one
path.
There
are
multiple
paths
but
yeah,
it's
a
and
if
the
web
of
the
the
entire
web
of
of
connections
between
the
dependencies
is
the
graph
like
the
full
dependency
graph,
then
the
answer
to
what
is
between
the
the
root
node,
that
is
the
project
itself
and
this
affected
dependency.
B
B
Yes,
yeah:
what
sorry
for
the
noise
we've
decided
that
he
would
be
one
of
us
one
of
the
shortest
paths.
Okay,
the
first
idea
that
came
up
was,
let's
take
the
shortest
path,
but
wait
a
minute.
We
may
have
multiple
shortest
paths
like
and
actually
that's
when
experimenting
on
that
it.
It
came
very
quickly
like
camera
very
quickly.
I
was
working
on
a
graph
in
this
three
shortest
path.
B
A
So
like
a
question,
so
we
have
this
defensive
list
page
and
users
use
it
to
like.
They
have
information
about
dependencies
there
about
vulnerabilities
and,
for
example,
for
example.
I
have
this
dependency
list
and
have
this
slash
dependency
on
this
page,
and
I
see
it
has
vulnerability
so
like,
and
I
have
this
dependency
path
to
it,
so
how
it
it
can
help
me,
for
example,
to
fix
this
vulnerability
or
it
shouldn't
help
me.
B
B
A
B
Well
but
yeah,
but
if,
if
the
problem
is
solved
in
the
context
of
one
dependency,
then
the
it's
yeah,
it
will
remain,
but
the
path
will
be
different
and
you
can
iterate
that
way.
I
know
it's
not
great,
but
keep
in
mind
that
this
is
specific
to
yarn
and
it
just
starts
yes,
but
I
know
and
also
three
options.
One
option
is
to
update
like
trying
to
get
to
to
to
get
to
the
highest
version
in
range.
B
That's
my
definition
of
update,
it's
not
consensual,
but
that's
mine
might
work,
in
which
case
it's
cool,
like
it's
great
and
by
knowing
the
the
dependency,
the
top
the
direct
level
dependency
involved
you
can
make,
depending
on
the
package
manager,
you
can
do
some
kind
of
conservative
upgrade
updates
right.
You
update
just
this
one
because
you
don't
want
to
mess
with
the
others.
B
It's
not
safe,
like
you're,
not
sure
you've
got
good
test
coverage
on
things
like
that.
Like
you,
don't
trust
that
big
upgrade
update
you
just
update
this,
so
that
would
be
the
value
of
knowing
the
path
one
path
and
if
it
doesn't
work
then
at
least
you
know
what
requirement
should
be
changed
like.
Maybe
you
should
you
have
to
upgrade
from
swell
one
two
to
sweat
to
the
zero?
Something
like
that.
B
E
A
B
Something
sorry
something
quite
important:
I
forgot.
If
the
path
leads
to
a
death
dependency,
then
you
that's
very
informative
from
that
you
mean
you
might
infer
that
it's
not
you're,
not
at
risk,
because
the
only
path
to
this
vulnerable
dependency,
transitive
dependency
is
direct
dependency.
That
is
development
dependencies,
so
there
would
be
no
risk
at
runtime.
B
A
A
B
B
A
B
B
D
B
This
list,
having
a
list
of
ancestors
for
each
dependency,
doesn't
scale
like
it's,
not
it.
It
doesn't
scale
it's
it's,
not
the
right
tool
if
you
want
to
build
to
build,
wait.
First,
sorry,
sorry
for
the
confusion,
confusion!
First!
It's
not!
You
can't
express
a
graph
this
way,
so
there
would
be
a
significant
change
if
you
wanted
to
communicate
a
graph
to
the
front
end
and
the
graph
has
to
be
exhaustive.
B
You
can't
you
can't
truncate
the
graph
unless
you
implement
some
some
kind
of
query
api
endpoint,
where
you
can
ask
what
is
the
subgraph
for
this?
What
is
the
script
graph
for
that?
But
then
we
would
have
complexity
on
the
back
end,
all
that
to
say
that
there
are
technical
considerations.
We
don't
yeah
one
step
at
a
time.
I
guess
that's
a
takeaway.
A
E
E
I
mean
it
could
help
in
a
way
that
you
know,
if
so,
is
a
npm
ecosystem,
like
they're,
very
small,
small
dependencies,
and
if,
let's
say
if
this,
this
is
one
that
we
have
a
vulnerability
in
every
and
we
also
have
a
vulnerability
in
zeb
and
as
a
developer,
I
would
want
to
consider
upgrading
zap
directly
so
that
it
might
resolve
the
dependency
in
every
like,
as
as
itself
is
dependent
on
it.
So
that
was
my
second
question
as
well.
E
B
E
B
Would
you
would
you
would
break
the
contract,
yeah
major
major
upgrade
and
might
break?
Who
knows
might
be
fine
with
my
break
yeah,
let's
see
that's
why
I
wanted
a
glossary
to
introduce
all
these
terms,
especially
update
compared
to
upgrade,
because
because
definitions
vary
anyways.
Does
that
answer
your
question?
Yep,
okay,
good.
B
A
B
B
C
A
E
B
B
A
A
Okay,
so
we
can
use
nugget
test
project
to
test
this
video
cool
yeah,
the
second
one
we
discussed
and
the
last
one
like
is,
it
makes
sense
in
the
future
when
we
have
this.
The
shortest
path,
like
as
a
update
of
the
this
page,
is
it's
like.
Is
it
reasonable
to
have
this
like
flag?
Show
me
all
the
direct
dependencies?
A
B
A
B
B
B
B
Ideally
we
would
pass
the
depth
files
along
with
the
log
files
and
we
would
merge
the
data.
Ideally
we
would
do
that
and
there's
an
issue
about
doing
that.
In
many
cases,
that's
the
only
way
to
know
whether
dependency
is
dependency
or
runtime
dependency,
which
is
very,
very
important
from
a
security
perspective.