Comparing main...SDK-6077 · box/boxcli · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: box/boxcli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: box/boxcli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: SDK-6077
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 1 commit
  • 1 file changed
  • 2 contributors

Commits on May 14, 2026

  1. fix: Exclude devDependencies from published npm-shrinkwrap.json

    The prepack script ran `npm shrinkwrap`, which in modern npm simply
    renames the existing package-lock.json to npm-shrinkwrap.json. Because
    the dev lockfile tracks both dependencies and devDependencies, the
    published tarball shipped 1372 packages (818 marked "dev": true),
    surfacing dev-only CVEs to end users via `npm audit`.
    
    Regenerate a prod-only lockfile before shrinkwrap so the published
    npm-shrinkwrap.json only contains production dependencies. Verified
    locally: 563 packages, 0 dev entries, 0 audit vulnerabilities.
    
    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
    keanuharrell and claude committed May 14, 2026
    Configuration menu
    Copy the full SHA
    a540c20 View commit details
    Browse the repository at this point in the history
Loading