build(deps): bump ua-parser-js from 1.0.2 to 1.0.33 in /packages/browser-sync#2007
Conversation
Bumps [ua-parser-js](https://github.com/faisalman/ua-parser-js) from 1.0.2 to 1.0.33. - [Release notes](https://github.com/faisalman/ua-parser-js/releases) - [Changelog](https://github.com/faisalman/ua-parser-js/blob/master/changelog.md) - [Commits](faisalman/ua-parser-js@1.0.2...1.0.33) --- updated-dependencies: - dependency-name: ua-parser-js dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
|
Sorry, only users with push access can use that command. |
|
@shakyShane Thank you for your earlier work with this repository Shane!! Can you please approve this pull request? :) |
|
This PR should fix #2009 |
|
Thank you guys for earlier work. Can someone of you approve this PR? :) @emgeee @PaulKinlan @brutaldev @shakyShane |
|
Please, can somebody with write access approve this PR? :) |
|
@shakyShane Can you please approve this pull request? You seem to be the only one with write access. |
|
on it |
|
@anton-x-t it is super unprofessional and incredibly disrespectful to spam everyone who has ever contributed to the project. Second to that, this vulnerability only affects projects that are actually hosted, and browser-sync is a development tool. NPM's audit tools are designed for hosted, publicly accessible node projects and no one should be using browser-sync in that way. |
|
@shakyShane Thank you very much for approving and merging! Appreciate it!! And I think many developers will appreciate this without knowing. Thanks a bunch!! |
|
Yeah dependabot can cause these types of issues - I'm pretty sure 99% of the 'security vulnerabilities' that I've fixed are not actually vulnerabilities for any Browsersync uses (as @lachieh alludes to above) Regardless, I am the sole maintainer with write access and this project is used widely, so I should be on top of these things. In the future, to prevent blasting notifications to everyone here, you can always just reach out on twitter instead 💪🏻 |
|
Thank you for explaining! @shakyShane |
|
I'm sorry @lachieh |
|
Thanks @shakyShane for your work, which is best in its class (IMHO). @lachieh , you are correct that browser-sync is a development tool. I worked around the matter by writing a NPM publish script which strips out all dev dependencies (which includes browser-sync) from package.json. It is effective, but just another extra step to maintain and break into the future. |
|
Thanks @citkane - that's a valuable perspective that I will consider more going forward :) |
12 participants
Bumps ua-parser-js from 1.0.2 to 1.0.33.
Changelog
Sourced from ua-parser-js's changelog.
Commits
67005e3Update patch version to 1.0.33 as a mirror of 0.7.33f2d0db0Bump version 0.7.33a6140a1Remove unsafe regex in trim() functiona886604Fix #605 - Identify Macintosh as Apple deviceb814bcdMerge pull request #606 from rileyjshaw/patch-17f71024Fix documentationc239ac5Merge pull request #604 from obecerra3/master8d3c2d3Add new browser: Cobalta2b2e80Update patch version to 1.0.32 as a mirror of 0.7.32d11fc47Bump version 0.7.32Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.