-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade async to 3.2.3 #225
Conversation
Thanks I'll look into it, but not sure it's worth (breaking the compat and all) I thijnk we should even archive this repo and encourage to use alternatives, here's a super simple one https://replit.com/@caub/prompt#index.js for example |
That makes sense. I agree with putting this lib in maintenance mode, at least, and actively encouraging others to use other libraries. Personally, I’m maintaining a project that adopted prompt a long time ago. Moving to an alternative would require some serious rework of our cli tool. Ideally, this project would continue to implement security patches as-needed so we could avoid that headache on our end. I notice the last two PRs are also security upgrades. Would it make sense to note in the README that the project is deprecated and maintain with security updates only? |
Ok, so I guess we need to do a major version upgrade here (due to compat change) or not? |
A SemVer purist would say a major version increment is necessary. Pragmatically, I’m not sure how many people will be impacted in practice. |
This addresses a vulnerability in all
async
versions below 3.2.2 as advised on the snyk page.Unfortunately, upgrading to
async@3.0.0
and above breaks compatibility for node < v6.0.0 and this PR is technically a breaking change.