https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #5 from Neal Gompa <ngompa13@xxxxxxxxx> --- (In reply to Zuzana Svetlikova from comment #4) > > Upstream does not advise that yarn sources are retrieved from npm and suggest it should be packaged from the pristine sources uploaded to GitHub. > > I haven't seen such information. But I admit, that among alternative install > methods[1] they state "installing from npm is not recommended due to > security risks" and rather provide their own tarball, which is, however, the > same, contentwise. I will change URL to that source [2]. > > When I tried GH sources, I needed to install quite an amount of packages. To > be exact: > root@435574b62c7d:~/yarn# npm ls | wc -l > 1725 > I would like to avoid that. This means that you're bundling all those node modules, right? Then you need to declare bundled() Provides for all the components you're bundling[1]. [1]: https://fedoraproject.org/wiki/Bundled_Libraries#Requirement_if_you_bundle -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx