►
A
B
Yes,
and
what
about
an
update,
an
update
on
my
work
before
I'm
interpreted,
possibly
so,
I've
been
working
on
the
schema
and
on
the
gymnasium,
analyzer
plus
common
library,
so
the
schema,
because
we
need
to
to
propagate
the
path
and
when
I
say
the
path,
actually
it's
one
of
the
possible
path
to
dependency.
B
We've
got
to
make
that
part
of
the
report,
and
and
to
do
that,
we
need
to
extend
the
the
report.
Syntax,
the
repot
schema.
B
So
that's
one
thing
it's
the
under
review,
but
it's
the
the
update
of
the
schema
is
unstabilized.
So
I
I
think
we're
good
relation
to
that.
I've
got
a
magic
was
targeting
the
common
library
to
generate
the
the
new
fields
again
to
to
add
the
path
to
the
common
library
and
I'm
working,
I'm
still
working
on
on
the
gymnasium
analyzer
to
generate
a
path.
B
So
hopefully
it's
not
one
big
magic
class.
It's
it's
been
split
into
five
metro
guys.
I
think
at
this
point
and
I'm
working
on
the
last
one,
all
the
others
have
been
merged.
So
it's
four
out
of
five
metric
quests
have
been
merged.
I
think
yeah,
two
more
things.
B
Maybe
so
initially
I
was
supposed
to
to
generate
the
graph,
for
I
mean
the
path,
that's
the
graph
for
beyond
the
plug
files,
but
I
changed
my
mind
because
there
were
the
possibility
that
I
got
it
wrong
when
passing
the
fight.
It's
not
so
the
underclock
is
similar
to
yemo,
but
it's
not,
which
makes
it
tricky,
and
so
I
I
focused
on
nugget
instead,
because
the
syntax
is
it's
just
json.
So
it's
passing
that
is
reliable
and
that's
the
graph.
The
log
file
itself
is
pretty
straightforward.
B
So
when
I'm
done
with
these
three
magic
quests
again
one
one
targeting
that
the
schema
one
targeting
command
and
the
other
one.
So
these
two
in
the
review
and
the
last
one
I'm
still
working
on
the
last
one
for
the
gymnastic
analyzer,
then
we'll
have
the
path
to
nuket
dependencies
and
and
then
I
can
move
on
to
other
lock
files
package
managers
it.
It's
then
it's
kind
of
easy.
Once
we've
got
the
framework,
the
interfaces
and
everything
and
first
of
all
the
the
schema.
B
Then
it's
just
a
matter
of
writing
code,
no
design,
design,
solving
design,
design,
problem-solving
involved,
and
I
think
that's
it
yes
and
yeah.
The
second
thing
is
that
when
I
say
a
path,
actually
it's
one
of
the
possible
paths.
B
We've
discussed
that
in
the
past,
not
the
past
in
the
past,
and
I
can
comment.
I
can
elaborate
on
that.
If
you
want
and
also
it's
it's
not
just
one
property,
it's
a
set
of
properties.
We
need
that
work
together
so
that
we
can
process
the
data
both
in
the
back
end.
I
mean
the
back
end
eventually
in
the
front
end,
and
that's
it-
I've
been
talking
for
a
while.
A
Yeah,
I've
I've
wrote
a
few
questions,
so
look
we
can
discuss
later
so,
like
updates
for
myself,
so
my
task
is
just
like
into
parts.
The
first
one
is
to
parse
report
and
the
second
one
show
this
into
a
response
in
click
and
show
it
to
front
end.
So
the
second
part
is
done
I've
we
had
the
schema
like
some
example
in
the
issue,
so
I've
like
we
use
this
and
I've
created
serializers
to
show
this
information,
but
I
don't
have
a
parser
and
like
if
we
have
analyzed
schema
for
the
report.
C
D
B
E
Oh,
oh
okay,
you
were
asking
me
if
you
answered
these
my
questions.
Yesterday,
okay,
I
thought
you
were
it's.
E
Yeah,
so
regarding
the
update,
so
so
on
the
front
end
side,
there
were
a
couple
of
sub
issues
for
this
and
which
involved
showing
the
dependency
path
in
the
ui,
and
so
one
was
the
showing
the
path
as
per
the
design
and
second
was
to
put
everything
behind
a
feature
flag.
E
And
the
pending
part
for
now
is
to
update
the
schemas,
which
we
were
having
the
discussion
yesterday,
and
I
think
it's
just.
B
B
Yes,
is
that,
okay
with
you,
I
mean
as
long
as
we
agree
on
term.
It's
it's!
It's
fine,
yeah,
okay,
okay,
so
we've
got
everything
except
that
you
don't
at
this
point.
We
don't
know
the
the
structure
of
what
is
said
by
the
api
endpoint.
E
Yeah
so
I
have
been
maintaining
an
implementation
plan
in
terms
of
what
is
remaining
and
I
put
in
the
dog.
So
maybe
it
would
be
here
and.
E
Yeah,
so
it's
just
a
very
small
change
which
is
required
from
my
ad
to
change
the
terminology,
the
the
api
payload
yeah
I'll.
Do
that
once
we
finalize
and
like
we
also
agree
on
it.
So
I
think
now
we
can
discuss
that
part.
E
B
E
A
A
But
like
like
you're
saying
that
you
change
their
app
like
the
names
in
the
api
pillow
payload
from
the
beginner
from
the
front
end
right,
yep,
okay
and
we're
like,
because
we
actually
like
in
the
beginning
when
we
start
working
on
this
issue.
We
had
an
example
that
is
structured
like
in
the
entire.
E
E
My
screen
so
that
we
all
we
are
gonna,
be
on
the
same
page.
B
E
Yeah,
can
you
can
you
link
the
merge
request
so
that
you
know
we
can
compare
the
before
and
after.
E
E
Yeah
perfect,
so
again,
so
this
is
the
structure
which
we
decided
like
earlier
for
for
api
payload.
I
guess
so
and
based
on
the
discussion
we
had
yesterday,
so
we
just
need
to
change
ancestors
with
dependency
path
and
top
level
with
what
was
that
direct
dependency?
E
So
so,
if,
if
you
had
followed
the
train
out
that
this
comment,
where
fabian
has
suppose
I'll
ask
us
to
change,
so
I
assume
that
this
is
for
the
api
payload
or
was
it
not
supposed
yeah.
B
Yeah
yeah,
it
is
two
things
I'd
like
to
say
here.
I
guess
there
was
misunderstanding.
It
was
just
a
proposal
at
first
so
yeah.
I
guess
there
was
communication
issue.
I
don't
know
how
you
could
we
could
have
done
better,
but
here
we
are,
and
that's
one
thing
second
out
of
three:
oh
I've.
This
I've
suggested
that
changed
because
that
tensioner,
because
it's
because
the
the
schema,
the
reaper
schema,
has
changed
and
I
tried
to
keep
to
keep
it
consistent
with
with
the
report
report.
Syntax.
B
That
being
said
in
the
end,
it
doesn't
really
matter
if
you're
happy
with,
if
you're,
both
happy
with
what
it
was
before,
ancestors
and
and
top
level
like.
I
don't.
It
doesn't
really
matter
to
me.
It's
just
that
there
would
be
a
significant
discrepancy
between
what
we
have
in
the
in
the
report
and
what
we
have
served
to
the
front
end,
which
is
fine.
So
it's
up
to
you
already.
A
No,
I
agree
that,
like
we
are
still
in
progress,
so
everything
like
this
began
to
image
requests.
It's
just
an
interrupt
mode
right
now
and
like
if
we
can
like
have
everything
synchro
like
have
synchronous
names
everywhere.
So
it's
better.
So,
let's,
let's
just
update,
so
it's
not
like
just
that.
I
guess
it
will
be
just
five
minutes
change.
B
It
and
it's
just
one
more
thing-
I
I
I
we
I'm
not
sure
we
got
it
wrong
when
making
this
proposal.
B
Oligar
told
me
that
it
should
have
been
in
the
in
the
main
issue
for
visibility,
and
that
was
not
the
case,
and
then
it
got
complicated
because
there
were,
there
were
potentially
multiple
places
where
we
could
discuss
the
same
thing,
that
is
the
api
endpoint
and
what
it
returns.
E
I'm
fine
as
long
as
I'm
tagged
into
it
so
and
I
think
it
makes
sense
to
be
in
the
back
end,
because
it's
this
specific
issue
discusses
and
and
the
earlier
schema,
which
we
decided
was
also
a
proposed
one.
We
never
agreed
to
it
like
this
is
the
sign-in.
B
It
went
on
vacation,
that's
something
else
I
was
yeah.
I
was
on
vacation.
E
Yeah
I
mean,
like
I,
mean
yeah,
I'm
agreeing
to
your
point
that
yeah
we
never
like
put
a
lock
on
it
like
this.
Is
the
final
schema
so
yeah
I
was.
I
was
expecting
those
changes,
so
I
never
closed
the
front
end
issue
because
of
that
and
yeah,
and
I
also
agree
like
that.
We
know
that
these
changes,
because
these
are
more
readable
and
and
it's
good
to
have
the
same
ski
schema
for
front
and
back
and
and
back
in
and
the
the
thing
you
are
working
on.
B
Because
yeah,
actually
we
we
have
discrepancies,
but
we
trying,
I
guess,
we're
trying
to
make
not
to
make
things
worse
than
they
are
and
one
of
the
things-
and
I
think
it's
intentional.
I
asked
a
question:
we
need
to
do
that
yesterday,
one
of
the
things
that
we
don't
have
a
dependency
object.
B
We've
got
what
we
have
here
on
this
screen.
Actually,
it's
a
location
object,
so
we've
got
the
location
object
in
the
report
scheme
in
the
report
and
we've
got
a
location
object
in
the
api
payload,
but
we
don't
have
a
dependency
object.
B
B
Again,
no
that's
the
other
way
around
when
listing
valencies
volunteers
and
it's
kind
of
complicated,
like
maybe
it's.
This
excessively
complicated
we've
got
the
location
within
the
location.
We've
got
the
dependency,
and-
and
here
we've
got
we-
we
skip
this
level,
which
is
fine.
I
like
it.
Actually
it's
it's
very
readable,
but
just
I
wanted
to
pinpoint
this
difference
between
what
we
have
in
the
report
and
what
we
have
well,
it's
returned
by
the
api
and
was
wondering
about
this
difference,
but
I'm
fine
with
it
really,
but.
A
It's
like
what
they
can
generate.
It's
like
supposed
to
be
like
at
the
most
like
easy
format
for
frontend
bars,
positive.
A
A
Yeah,
so
that's
why
it's
like
what
we
like,
what
we
send
from
the
backend.
It's
like
very
it
looks
like
like
it's
various
like
straightforward
data
like
formats
for
the
front
end,
so
for
the
all
the
fields
that
we
have
to
all
the
information
that
we
have
to
show
so.
B
Yeah,
it's
it's
optimized
for
our
frontend
and
it's
more,
it
doesn't
have
to
be
as
stable
as
the
the
report
format
itself,
which
is
good,
and
maybe
we
shouldn't
spend
too
much
time
discussing
the
property
names
because
of
that
because
anyways
we
can
change
in
the
future
right.
Yeah.
D
A
Yeah,
but
if
we
can
like,
if
we
can
like
used
to
write
names
right
now,
it's
better
to
do
it
similar
names,
yeah
sure
yeah,
because
we'll
will
there
is
a
chance
we
want
to
get
in
the
next
months.
For
example,
this
is
your
name
and
it
will
be
last
forever
and
but
look
at
this
dependency
path
like
for
me.
It
looks
more
like
like
the
fancy
graph,
but
this
one
doesn't
actually
like
actually
have
a
question
about
it.
B
No,
I'm
saying
I'm
just
noting
saying:
no
because
not
oh,
it's
not
a
graph,
it's
a
one
possible
path,
and
I
remember
having
long
discussions
about
that
with
kya
and
mark,
but
you
two
were
not
part
of
the
discussions,
and
so
maybe
we
need
an
intro
to
this
feature
yeah.
So
what
about
an
intro
to
to
this
feature
from
I
mean
going
back
to
the
concepts
so
to
speak?
Is
that
something
yeah
need
for
that
yeah?
I
guess
this
is
what
what
was
your
your
your
question,
your
I
mean
your
request
yesterday.
B
E
E
B
Okay,
so
can
you
give
me
the
name
of
the
other
other
package?
You
would
explicitly
add
to
your
project
in
your
oh.
What's
the
name
of
the
show
yeah
again
yeah?
Maybe
you've
got
project
yeah
great.
If
you've
got
a
project
you're
familiar
with
it,.
E
This
dependency
dom
purifier
and
you
can
look
at
the
sorry.
E
So
it
it
doesn't
have
any
hand.
B
You're,
I
mean
it's
fine,
I'm
fine
with
that,
but
it's
not
yeah.
The
easiest
easiest
scenario
so,
but
one
thing
we
can
say
here
is
that
okay,
we've
got
two
files,
one
identify
you
edit
by
I
mean
new
as
a
developer,
and
that
is
package.json
and
the
other
one,
the
log
file
that
is
generated
the
so
from
now
on.
No
I'm
sorry,
I'm
going
to
say
dependency
file
as
opposed
to
log
file.
B
Okay,
dependency
file,
log
file,
so
the
dot
file,
the
defensive
file
is
the
one
you
edit
as
a
developer,
and
the
log
file
is
the
one
that
is
generated
by
the
package
manager.
So
what
you
added
to
your
depth
file
was
done.
Purify.
E
B
You
know
it's
very
because
it's
explicitly
referenced
in
the
in
your
code
base
and
it's
it's
been
added
to
this
depth
file
by
you
give
approve,
so
that's
a
direct
dependency
of
your
project
right
now,
question.
A
So
like
it's
the
same
like
it's,
it's
what
we
call
previously
top
level
dependency.
B
Yeah,
but
if
I
can,
if
I
can
avoid,
if
I
can
avoid
composed
words
I'll
and
avoid
the
confusion
between
underscores
and
hyphens
like
dashes,
it's
even
better
and
top
level
like
it's.
I
like
this.
I,
like
this
term
top
level,
but
it's
not
so
common
direct.
B
It
is
more
common
though
it
can
be
ambiguous,
like
naming,
is
having
all
of
that
yeah,
so
is
it
and
indirect
is
relative?
I
guess
it's
direct
dependency
of
your
project.
B
Of
your
project,
I
repeat,
of
your
project,
it's
all
a
direct
project
dependency
and
then
you've
got
many
other
dependencies
like
I
guess.
You've
got
q
in
your
in
your
yander
plug.
You
know
this
package
queue
it's
pretty
much
over.
Maybe
it's
it's!
There.
B
Sorry,
it's
q,
q,
just
q,
yeah
no
q
at
maybe
q
at
if
you
look
for
them.
B
B
B
B
So,
okay,
can
you
have
a
look
at?
Can
you
search
for
shulk
and
slash,
and
you.
B
A
B
Of
these
transients
indirect,
all
transitive,
this
is
a
dependency
that
is
not
directly
project
dependency,
but
something
your
project
depends
on
because
it
depends
on
on
the
package
that
depends.
That
depends
depends
on
this.
Okay,
as
so,
it's
either
direct
or
not
like
can't
debuff
direct,
indirect
okay.
Does
that
make
sense.
D
A
So
are
all
the
dependencies
from
slash?
Are
they
considered
to
be
indirect
for
this
project
as
well?
A
A
B
E
B
We
we
have
slash
three
versions:
oh
yeah,
and
that's
something
else.
You've
got
multiple
because
it's
yarn,
you
possibly
have
much
more
versions
of
the
same
package
in
the
same
project,
because
you've
got
one
event,
one
package
that
depends
on
slash
one
but
another
package.
B
I
mean
somewhere
in
your
dependency
tree.
That
depends
on
stash
too,
but
also
another
package.
That
depends
on
three
and
you
end
up
having
three
versions
of
slash
that
is
unique.
To
yarn,
I
mean
considering
what
you
support,
as
the
only
one
keep
people
on
that.
E
So
I
have
one
question
here
in
terms
of
ui:
we
were
talking
about
this
table
just
so.
The
people
just
would
appear
here
like
instead
of
yeah.
On
the
left
hand,
side
left
more
side,
and
here
it
would
be
obviously
the
unlock
for
this
case,
and
the
next
next
point
would
be
the
slash.
B
B
As
a
developer,
you
know
what's
in
in
package.json,
because
that's
a
file,
you
edit
yep
right,
yeah,
okay,
yeah,
so
as
a
developer,
if
we,
if
you
say
that
one
of
the
files
they're
sitting
in
jason-
let's
say
babel
jazz
is
vulnerable.
B
You
know
what
to
do
because
you
were.
You
were
the
one
adding
this
dependency
to
your
project
in
the
first
place
or
one
another
developers
of
you
of
your
team.
But
it's
something
you
can
easily
it's
actionable!
That's
my
point!
You
can
make
sense
of
that
one
and
it's
actionable
because
you
know
it's
it's
there,
it's
in
your
diploma!
Okay!
B
So
if
it's
in
that
case,
there's
no
path
to
show,
because
it's
just
there,
it's
a
direct
dependency,
no
path,
it's
the
project,
the
dependency,
nothing,
it's
nothing
in
between
there's,
nothing
in
between
and
because
there's
nothing
in
between.
It
makes
sense
to
developers
working
on
the
project.
E
Yeah
but
but
we
would
also
like
to
know
what
this
particular
project
is
dependent
on.
E
So
I
added
I
added
people
just,
but
I
would
also
like
to
know
that
it
should.
I
would
also
like
to
know
in
the
ui
that
it
is
dependent
on
flash,
because
tomorrow,
slash
of
one
slash
dependency,
get
any
vulnerability,
then,
depending.
B
On
yeah
and
yes,
and
no
depending
on
the
problem
you're
trying
to
solve,
if
you,
if
you're
chasing
whenever
dependencies,
you
go
to
the
dependency
list,
you
know
in
the
ui
and
at
the
top
of
the
list,
you've
got
the
vulnerable
dependencies
and
there
you've
got
slash
and
then
you've
got
slash.
B
B
E
B
Precisely
so
yeah
we
know
it's
phenomenal,
but
as
a
user
as
a
developer,
it
doesn't
make
sense
to
me,
because
I
know
I
don't
know,
I
don't
even
know.
Actually,
maybe
I
didn't
even
know
it
was
there
like.
Oh
slash.
What
is
that
yeah
and
I
want
I
want
answers,
because
if
I
don't,
if
I
don't
know
where
it
comes
from,
so
to
speak,
how
it
relates
to
the
top
level
dependencies
diary
dependencies?
I
can't
even
I
don't
even
know
what
to
update
like.
B
I
can
I'm
sure
I
can
upgrade
everything
like,
oh
that
if
I,
if
I
want
to
make
a
conservative
upgrade
if
it
of
in
the
case
or
maybe
I
should
make
a
distinction
between
update
and
upgrade.
But
if
running
young
grade
is
not
enough,
then
what
should
I
do?
What
is
the
problem?
E
No,
I
now
I
get
it
completely
thanks.
Thanks.
B
For
so
inviting
my
pleasure,
like
I'm,
so
glad
it
makes
sense
now
the
thing
is
slash.
B
Well,
first,
let's
consider
one
version
of
slash
because
actually,
since
we
are
using
yarn,
you
may
have
multiple
versions
of
slash
in
your
project
but
say:
let's
consider
one
version
of
slash
like
slash:
can
you
go
to
slash
yeah,
slash
one
zero
zero
and
this
one
is
affected.
Somehow
it's,
it's
might
very
well,
be
it's
it's
possible
that
we've
got
this
dependency
slash
because
of
multiple
direct
dependencies
of
your
project.
B
I
don't
know,
if
that's
the
case,
can
you
look
for
slash
and
you're
like
yeah?
Okay,
three
keep
keep
yes
keep
looking
for.
Slash
with
okay
console
console
needs
two
which,
which
one
is
that?
Can
you
go
up?
E
B
Oops,
sorry-
and
I
don't
know
if
just
console
and
just
to
direct
dependencies
or
not,
but
in
in
any
case,
all
that
to
say
that
there
are
multiple
paths
to
this
dependency.
B
B
There's
a
web
of
connections
between
your
project
and
any
evil
dependency
and
there's
more
than
one
path.
There
are
multiple
paths
but
yeah,
it's
a
and
if
the
web
of
the
the
entire
web
of
of
connections
between
the
dependencies
is
the
graph
like
the
full
dependency
graph,
then
the
answer
to
what
is
between
the
the
root
node,
that
is
the
project
itself
and
this
affected
dependency.
B
E
Okay,
so
let's
talk
too
much
so
so
this
part
is
some
sort
of
like
shortest
path
or
like
any
any
preference
or
just
the
one
of
it.
B
Yes,
yeah:
what
sorry
for
the
noise
we've
decided
that
he
would
be
one
of
us
one
of
the
shortest
paths.
Okay,
the
first
idea
that
came
up
was,
let's
take
the
shortest
path,
but
wait
a
minute.
We
may
have
multiple
shortest
paths
like
and
actually
that's
when
experimenting
on
that
it.
It
came
very
quickly
like
camera
very
quickly.
I
was
working
on
a
graph
in
this
three
shortest
path.
B
Three,
the
three
shortest
path
were,
at
the
same,
had
the
same
length,
three
champs
all
three
three,
so
just
one
of
these,
because
it's
a
hint
it's
and
okay,
why
one
of
the
shortest,
because
it's
just
easier
than
all
of
them,
and
why
the
shortest?
B
Because
it's
it's,
it's
surely
easier
to
make
sense
of
a
short
path
that
it
is
to
make
sense
of
a
long
path.
It
can
get
complicated
with
cycles.
You
can
get
cycles.
Also
we
should
we
shouldn't,
go
there
for
now.
Yeah
sorry,.
A
So
like
a
question,
so
we
have
this
defensive
list
page
and
users
use
it
to
like.
They
have
information
about
dependencies
there
about
vulnerabilities
and,
for
example,
for
example.
I
have
this
dependency
list
and
have
this
slash
dependency
on
this
page,
and
I
see
it
has
vulnerability
so
like,
and
I
have
this
dependency
path
to
it,
so
how
it
it
can
help
me,
for
example,
to
fix
this
vulnerability
or
it
shouldn't
help
me.
B
It
should
yeah
it
should
because
you're
I
mean
I'm
not
familiar
with
this
project,
but
developers
very
likely
are
very
likely
to
to
be
familiar
with
swell,
because
it's
a
top
double
direct
dependency.
Well,
they
might
be
familiar
with
the
second
one.
B
A
B
Well
but
yeah,
but
if,
if
the
problem
is
solved
in
the
context
of
one
dependency,
then
the
it's
yeah,
it
will
remain,
but
the
path
will
be
different
and
you
can
iterate
that
way.
I
know
it's
not
great,
but
keep
in
mind
that
this
is
specific
to
yarn
and
it
just
starts
yes,
but
I
know
and
also
three
options.
One
option
is
to
update
like
trying
to
get
to
to
to
get
to
the
highest
version
in
range.
B
That's
my
definition
of
update,
it's
not
consensual,
but
that's
mine
might
work,
in
which
case
it's
cool,
like
it's
great
and
by
knowing
the
the
dependency,
the
top
the
direct
level
dependency
involved
you
can
make,
depending
on
the
package
manager,
you
can
do
some
kind
of
conservative
upgrade
updates
right.
You
update
just
this
one
because
you
don't
want
to
mess
with
the
others.
B
It's
not
safe,
like
you're,
not
sure
you've
got
good
test
coverage
on
things
like
that.
Like
you,
don't
trust
that
big
upgrade
update
you
just
update
this,
so
that
would
be
the
value
of
knowing
the
path
one
path
and
if
it
doesn't
work
then
at
least
you
know
what
requirement
should
be
changed
like.
Maybe
you
should
you
have
to
upgrade
from
swell
one
two
to
sweat
to
the
zero?
Something
like
that.
B
B
E
A
B
Something
sorry
something
quite
important:
I
forgot.
If
the
path
leads
to
a
death
dependency,
then
you
that's
very
informative
from
that
you
mean
you
might
infer
that
it's
not
you're,
not
at
risk,
because
the
only
path
to
this
vulnerable
dependency,
transitive
dependency
is
direct
dependency.
That
is
development
dependencies,
so
there
would
be
no
risk
at
runtime.
B
This
is
where
this
information
is
very
useful,
or
maybe
you
know
how
this
direct
dependency
is
used
and
yeah
because
of
the
way
it's
used.
Nobody
can
leverage
this
energy
like
in
this
transient
dependency.
A
A
B
Know
I
I
remember,
mark
being
a
bit
reluctant,
but
I
mean
we
need.
We
need
more
ux
research,
that's
something
yeah!
That
was
a
conclusion.
I
guess
we.
B
A
Okay,
yeah,
but
like
you're,
showing
the
pencil
pass.
It's
really,
I
guess
helpful
because
I
know
in
the
past
I
have
some
complaints
when
people
don't
understand
why
I
have
this
dependency
in
my
dependency
list.
I
didn't
edit
so
yeah.
B
B
D
B
This
list,
having
a
list
of
ancestors
for
each
dependency,
doesn't
scale
like
it's,
not
it.
It
doesn't
scale
it's
it's,
not
the
right
tool
if
you
want
to
build
to
build,
wait.
First,
sorry,
sorry
for
the
confusion,
confusion!
First!
It's
not!
You
can't
express
a
graph
this
way,
so
there
would
be
a
significant
change
if
you
wanted
to
communicate
a
graph
to
the
front
end
and
the
graph
has
to
be
exhaustive.
B
You
can't
you
can't
truncate
the
graph
unless
you
implement
some
some
kind
of
query
api
endpoint,
where
you
can
ask
what
is
the
subgraph
for
this?
What
is
the
script
graph
for
that?
But
then
we
would
have
complexity
on
the
back
end,
all
that
to
say
that
there
are
technical
considerations.
We
don't
yeah
one
step
at
a
time.
I
guess
that's
a
takeaway.
A
E
I
just
have
two
quick
questions
so
so
in
in
this
screen,
so
this
swell
is
the
dependency
which
so
like
all
these,
the
complete
the
dependencies
in
the
entire
path
will
be
listed
in
the
dependency
list,
so,
for
example,
swell
and
zeb,
and
all
all
these
will
be
listed
in
the
entire
list.
E
E
I
mean
it
could
help
in
a
way
that
you
know,
if
so,
is
a
npm
ecosystem,
like
they're,
very
small,
small
dependencies,
and
if,
let's
say
if
this,
this
is
one
that
we
have
a
vulnerability
in
every
and
we
also
have
a
vulnerability
in
zeb
and
as
a
developer,
I
would
want
to
consider
upgrading
zap
directly
so
that
it
might
resolve
the
dependency
in
every
like,
as
as
itself
is
dependent
on
it.
So
that
was
my
second
question
as
well.
E
So
as
a
developer,
I
would
prefer
upgrading
and
dependency,
which
I
have
listed
in
package.json,
rather
than
going
a
path
where
upgrading
a
subdependency,
because
it
might
break
the
main
dependency.
E
B
B
See
what
I
mean
if
all
like,
if
all
the
all
the
packaging
is
all
that
all
the
dependencies
of
swell,
follow
sember,
then
you
can,
you
can
upgrade
and
you
should
be
fine
as
long
as
you
stay
within
the
same
major
location
because
of
the
requirements,
all
the
dependencies,
all
the
dependencies
and
all
the
advances,
because,
because
of
all
the
contracts
between
between
the
dependencies
between
the
packages.
E
B
Would
you
would
you
would
break
the
contract,
yeah
major
major
upgrade
and
might
break?
Who
knows
might
be
fine
with
my
break
yeah,
let's
see
that's
why
I
wanted
a
glossary
to
introduce
all
these
terms,
especially
update
compared
to
upgrade,
because
because
definitions
vary
anyways.
Does
that
answer
your
question?
Yep,
okay,
good.
B
A
I
actually
have
a
another
meeting
in
eight
minutes
so,
like
I
have
a
few
questions,
I've
brought
in
the
questions
so
can
I
do
we
have
them
for
for
them
or
george?
Do
you
have
any
other
questions
that
you
want
to
discuss
right
now.
E
No,
I'm
good
at
everything.
A
So,
like
the
most
like,
the
most
important
question
for
me
is:
do
we
have
like
the
finalized
schema
version
for
reports,
so
I
can
start
working
on
the
parser
and
where
I
can
find
it.
B
Oh
sorry,
I
was
reading
question
d.
Could
you
repeat
that
again.
B
B
C
B
It
I've
assigned
that
to
cam
in
australia,
so
we've
got
to
wait
till
tomorrow
morning.
A
And
in.
E
So
I
think
it
would
be.
It
would
be
great
if
we
could
link
the
mr
here
or
maybe
anywhere
so
that
you
know.
We
know
that
once
this,
mr
is
merged.
There's
like
we
have
put
a
lock
on
the
schema
yeah.
B
B
A
B
Oh
sorry,
no
I'm
gonna
again,
I'm
gonna
start
with
a
nuget
focusing
on
stability
and
test
coverage,
and
then,
if
I
have
time
I
might
support
another
package
manager
in
this
release,
but
not
sure
about
that.
A
Okay,
so
we
can
use
nugget
test
project
to
test
this
video
cool
yeah,
the
second
one
we
discussed
and
the
last
one
like
is,
it
makes
sense
in
the
future
when
we
have
this.
The
shortest
path,
like
as
a
update
of
the
this
page,
is
it's
like.
Is
it
reasonable
to
have
this
like
flag?
Show
me
all
the
direct
dependencies?
A
C
What
do
you
say,
yeah
I'd
love
to.
B
A
B
No,
no
wait.
It
already
exists.
I
think
now.
The
problem
is
that
we
can't
do
that
until
we
got
until
we
either
have
the
data
or
the
ability
to
make
the
distinction
between.
B
Between
transitive
and
don't
know,
which
is
it's
going
to
be,
actually
it's
going
to
be
possible,
but
it's
it
hasn't
been
formalized.
So
I
wouldn't
do
that,
like
you
could
yeah
after
I
merged
all
these
magic
quests
you
could.
You
can
implement.
B
You
can
implement
a
hack
to
do
that
in
a
safe
way
without
taking
the
risk
of
hiding
direct
dependencies,
but
just
because
we
don't
know
they
are
direct
right
now,
yeah,
so
here's
the
context
I'll
try
to
make
sure.
But
right
now
we
just
we
just
passed
log
files.
B
Ideally
we
would
pass
the
depth
files
along
with
the
log
files
and
we
would
merge
the
data.
Ideally
we
would
do
that
and
there's
an
issue
about
doing
that.
In
many
cases,
that's
the
only
way
to
know
whether
dependency
is
dependency
or
runtime
dependency,
which
is
very,
very
important
from
a
security
perspective.
B
B
Lock
files
don't
make
explicit
that
dependency
is
direct
dependency,
it's
something
we
infer
and
in
some
cases
I
think
we
can't
even
infer
that
the
dependencies
direct
one.
Yes,
there
are
cases.
If
you
got
if
you've
got
a
transitive
dependency
that
depends
on
the
direct
dependency.
A
This
this
is
the
feature
like
for
the
like
far
the
future.
Far
far
from
next.
A
Okay,
cool,
so,
okay,
so
I'll
take
a
look
on
this
new
schema
and
I
definitely
have
some
questions
for
you
fabian,
so
I'll
I'll
ask
them!
I
guess
I'll
secretly
and
I'll
update
my
merge,
request
and
pink
you
all
in
them.