massive spike in dependencies, including security vulnerabilities

[electrovir]

Some went seriously wrong with the version 0.4.4 release: it has 401 direct dependencies, including security vulnerabilities, while version 0.4.3 has 0 dependencies.

[LeaVerou]

Yikes, thanks for letting us know! My first thought was that something that was a dev dependency must have been added as a regular dependency, but it doesn't look like it. Investigating…

[LeaVerou]

Ok, that's odd. The package.json that's published on npm seems to have a huge list of dependencies, but the package.json in the repo does not. WTAF.

[LeaVerou]

Fixed in v0.4.4-patch.1! Thanks again so much for bringing this to our attention! Still no clue how this happened. 🤷🏽‍♀️

[jgerigmeyer]

@LeaVerou Unfortunately while v0.4.4-patch.1 is installed correctly as the latest release, it doesn't satisfy common semver ranges -- for example, existing projects with "colorjs.io": "^0.4.3" will now get v0.4.4 installed instead of the patched release. Would you consider re-releasing as v0.4.5?

[LeaVerou]

Yikes. that seems like a bug in semver, but fixed anyway. @jgerigmeyer do you use the same username on npm? I should add you there too