Pull Request Test Coverage Report for Build 3762191427

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.002%) to 42.149%

Totals
Change from base Build 3760346861:	0.002%
Covered Lines:	28580
Relevant Lines:	62972

💛 - Coveralls

Is there a way to update these packages through package.json, such as bumping whatever is bring in these dependencies. Typically it's better to manage the packages that way.

Agreed, especially for major version updates directly updating the yarn file like this is risky.

I'm not even sure how this is working - azurecore/yarn.lock has @azure/msal-node which has a dependency on jsonwebtoken ^8.5.1, which 9.0.0 doesn't satisfy...if you run yarn install from that folder again I expect it will come up with some changes to the yarn.lock to pull in the versions it needs.

"@azure/msal-node@^1.9.0":
  version "1.14.2"
  resolved "https://registry.yarnpkg.com/@azure/msal-node/-/msal-node-1.14.2.tgz#8f236a19efa506133d6c715047393146af182e3a"
  integrity sha512-t3whVhhLdZVVeDEtUPD2Wqfa8BDi3EDMnpWp8dbuRW0GhUpikBfs4AQU0Fe6P9zS87n9LpmUTLrIcPEEuzkvfA==
  dependencies:
    "@azure/msal-common" "^7.6.0"
    jsonwebtoken "^8.5.1"
    uuid "^8.3.0"

Found it, I should be adding "resolutions" for major bump :)

That's still generally just an (unsafe) workaround. If msal-adal expects the package to have a certain API but that's changed in the 9.0 update then it can break - or even worse have some issue that isn't directly apparent but causes unexpected bugs to occur.

If there isn't a direct update to msal-adal that we can take the next step would be checking to see if this update is actually required i.e. what is the issue and does it even affect us? If it doesn't then it would usually be better to just dismiss the alert instead of pulling in potentially breaking changes.

We don't have a new @azure/msal-node package that resolves this as of today, and it seems safe to me, given this change has recently been made here: AzureAD/microsoft-authentication-library-for-js#5503 without any code changes, and I also tested it locally, so didn't notice change of behavior.

If there isn't a direct update to msal-adal that we can take the next step would be checking to see if this update is actually required i.e. what is the issue and does it even affect us? If it doesn't then it would usually be better to just dismiss the alert instead of pulling in potentially breaking changes.

It definitely affects us in azurecore extension now that we support MSAL, you can read more.

I will proceed to merge for now, and we will eventually be updating to official msal-node package soon as they release it.