fix: bump debug dep to clear vuln #144
Conversation
There was a problem hiding this comment.
Hi @remy thanks for the PR!
Yes, you don't want to include the version bump in the PR, as it causes two issues: (1) the npm version command will no longer work to make the release, since it wants to bump and commit itself and (2) there is actually a pending change that is a minor, so the bump would be minor anyway.
Also, I tagged this as "needs docs", as the History.md file is expected to be updated, documenting the dependency version upgrade as well as documenting all the changes that are included in the upgrade that affects this module's interface or dep tree (but not changes that are irrelevant to this module otherwise).
Let me know if you need help on any specifics for these and I'll get back as soon as I can :) !
|
Hi @remy since I didn't hear back, and it is showing as bad on that site you referenced, I gave up waiting and just went ahead and made all the above changes and will publish an update in just a bit. |
|
Hey, just to follow up - looks good, thanks for making the changing and publishing. |
Details: https://snyk.io/test/npm/morgan/1.8.1
Note that I've also bumped the package version in preparation for release to npm - I wasn't sure what the etiquette was on this.