Updates to latest version of debug package #31
Conversation
package.json
Outdated
| @@ -18,7 +18,7 @@ | |||
| "dependencies": { | |||
| "balanced-match": "0.1.0", | |||
| "color": "^0.11.0", | |||
| "debug": "~0.7.4", | |||
| "debug": "3.1.0", | |||
There was a problem hiding this comment.
You should use "^3.1.0" to get automatic patches in the futur.
There was a problem hiding this comment.
ooof, that makes nervous. I always pin to an exact version because I've been burned time and time again by upstream deps making breaking changes with incorrect semver. I trust no one!
But could go a different route on this project if you think it's best.
There was a problem hiding this comment.
debug is very widely used and I think it's more than safe to rely on it this way.
Otherwise you can go with ~3.1.0 but I think ^3 is ok
There was a problem hiding this comment.
Cool. Went with with ^
Just curious on your projects do you decide what versions to let in based on each package? Like debug is stable, so pretty safe, but a less widely used one might get a tilde or pinned to a version?
There was a problem hiding this comment.
Today, I am using ^ everywhere + yarn (so yarn.lock) in order to get reproductible install and I don't have semver fail problems :)
There was a problem hiding this comment.
Ah! Gotcha, that makes sense. Thanks.
|
@finnhvman Do you want to give this a quick look? |
fixes #30
As described in #30 and the related links, there was a vulnerability in the debug package. This PR updates to the latest 3.1.0 version of that package to avoid that security issue.