-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates to latest version of debug package #31
Conversation
package.json
Outdated
@@ -18,7 +18,7 @@ | |||
"dependencies": { | |||
"balanced-match": "0.1.0", | |||
"color": "^0.11.0", | |||
"debug": "~0.7.4", | |||
"debug": "3.1.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should use "^3.1.0" to get automatic patches in the futur.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ooof, that makes nervous. I always pin to an exact version because I've been burned time and time again by upstream deps making breaking changes with incorrect semver. I trust no one!
But could go a different route on this project if you think it's best.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
debug is very widely used and I think it's more than safe to rely on it this way.
Otherwise you can go with ~3.1.0 but I think ^3 is ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool. Went with with ^
Just curious on your projects do you decide what versions to let in based on each package? Like debug is stable, so pretty safe, but a less widely used one might get a tilde or pinned to a version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Today, I am using ^ everywhere + yarn (so yarn.lock) in order to get reproductible install and I don't have semver fail problems :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah! Gotcha, that makes sense. Thanks.
@finnhvman Do you want to give this a quick look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
fixes #30
As described in #30 and the related links, there was a vulnerability in the debug package. This PR updates to the latest 3.1.0 version of that package to avoid that security issue.