Exam AZ-400 topic 7 question 36 discussion

Is it a typo? There is no devDependencies in the package-lock.json. The given comment refers to the devDependencies section in package.json

Yeah, probably a typo. Here's a link to article describing similar scenario with WhiteSource: https://docs.microsoft.com/en-us/archive/blogs/visualstudioalmrangers/manage-your-open-source-usage-and-security-as-reported-by-your-cicd-pipeline

B. Add a devDependencies section to Package-lock.json.

Correct answer is A, not B The File System Agent plug-in is a WhiteSource tool that scans the files and folders of your projects and reports the libraries and licenses that are detected. You can configure the File System Agent plug-in to scan only the Package.json files of your Node.js projects, and ignore the Package-lock.json and Npm-shrinkwrap.json files. This way, you will minimize the number of libraries reported by WhiteSource to only the libraries that you explicitly reference in the Package.json files. B. Adding a devDependencies section to Package-lock.json will not work, because the Package-lock.json file is automatically generated by npm and should not be manually edited. The devDependencies section in Package-lock.json reflects the devDependencies from the Package.json file of the dependency, not the project. Source: Bing AI :)

GPT: Adding a devDependencies section to the package.json file in order to run npm install --omit-dev is a valid approach for reducing the size of the installed packages and the time it takes to install them, but it is not the correct solution for minimizing the number of libraries reports by WhiteSource to only the libraries that you explicitly reference. The devDependencies section in package.json is used to specify the packages that are only required for development and testing, and not for the production use of the project. By default, the npm install command installs all dependencies, including those specified in devDependencies. However, by running npm install --omit-dev, you can exclude the packages listed in devDependencies from being installed. This can help reduce the size of the installed packages and the time it takes to install them, especially in production environments where only the packages needed for runtime are required.

Typo, it should be: " Add a devDependencies section to Package.json." in order to run npm install --omit-dev

Correct Answer is B

https://docs.microsoft.com/en-us/archive/blogs/visualstudioalmrangers/manage-your-open-source-usage-and-security-as-reported-by-your-cicd-pipeline: "Within your package.json file be sure you split out your npm dependencies between devDependencies and (production) dependencies" Answer is B (though like what others before me have pointed out, it's a typo; package.json and not package lock)

B. Add a devDependencies section to Package.json. (Not Package-lock.json)

correct answer but the change has to be made to package.json file

Info for related url https://docs.microsoft.com/en-us/azure/devops/migrate/security-validation-cicd-pipeline?view=azure-devops

Why do we need lock files? Lock files are intended to pin down, or lock, all versions for the entire dependency tree at the time that the lock file is created. Why is it important to use a package lock file and lock package versions? Without a package lock file, a package manager such as Yarn or npm will resolve the the most current version of a package in real-time during the dependencies install of a package, rather than the version that was originally intended for the specific package

answer B-confirm

Answer correct solving the typo error. It should be package.json instead of package-lock.json https://docs.npmjs.com/specifying-dependencies-and-devdependencies-in-a-package-json-file

According to this https://docs.microsoft.com/en-us/azure/devops/pipelines/ecosystems/javascript?view=azure-devops&tabs=code answer should be package.json