Upgrade async to 3.2.3 #225
Conversation
|
Thanks I'll look into it, but not sure it's worth (breaking the compat and all) I thijnk we should even archive this repo and encourage to use alternatives, here's a super simple one https://replit.com/@caub/prompt#index.js for example |
|
That makes sense. I agree with putting this lib in maintenance mode, at least, and actively encouraging others to use other libraries. Personally, I’m maintaining a project that adopted prompt a long time ago. Moving to an alternative would require some serious rework of our cli tool. Ideally, this project would continue to implement security patches as-needed so we could avoid that headache on our end. I notice the last two PRs are also security upgrades. Would it make sense to note in the README that the project is deprecated and maintain with security updates only? |
|
Ok, so I guess we need to do a major version upgrade here (due to compat change) or not? |
|
A SemVer purist would say a major version increment is necessary. Pragmatically, I’m not sure how many people will be impacted in practice. |
This addresses a vulnerability in all
asyncversions below 3.2.2 as advised on the snyk page.Unfortunately, upgrading to
async@3.0.0and above breaks compatibility for node < v6.0.0 and this PR is technically a breaking change.