-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump stringstream from 0.0.5 to 0.0.6 #464
Conversation
Pull Request Test Coverage Report for Build 566
💛 - Coveralls |
@connectdotz I assume we can easily merge this? |
I would think so. There are other security alerts as well, what do you think we do the following:
if all goes well, maybe we should consider release |
looks like 2 security alerts couldn't auto generate PRs... when I rebase the generated PRs, there are a few merge conflicts since beta yarn.lock is quite different from master... I now think it is probably better if we merge beta to master first, then regenerate the security PRs from the new master to avoid manually resolving conflicts... what do you think? |
The two alerts hadn't been fixed, since for example for fixing |
rebase is easy but resolving merge conflicts of yarn.lock manually is quite tedious, especially most dependencies are indirect. I would avoid that as much as possible. I think the easiest way would be first merging beta to master, then trigger security PR (quite easy) against the new master, at least 7 of the 9 can be merged this way without conflict. The other 2 I haven't looked deeply into, it will be great if you can follow up with those... btw, did you get a chance to run 3.0.0 on windows, I think this might be the biggest question mark blocking beta merge to master, we don't have any confirmation from windows users... if you can run 3.0.0 on windows then I could merge beta to master and at lease incorporate 7 security alerts this weekend... |
I think it would be enough to just keep one version of the lock file and manually run
I'll do it as soon as we have decided or merged beta->master.
I have run a few test repos and so far all of them ran smoothly. |
beta has introduced quite a few updated packages so the yarn.lock looked very different from master, you can see what kind of merge conflicts after rebasing the auto-generated PR, which is based on master, to beta here |
Ups, ok that isn't working. I'm going to update the components by hand. |
@dependabot rebase |
Bumps [stringstream](https://github.com/mhart/StringStream) from 0.0.5 to 0.0.6. - [Release notes](https://github.com/mhart/StringStream/releases) - [Commits](mhart/StringStream@v0.0.5...v0.0.6) Signed-off-by: dependabot[bot] <support@github.com>
d1541fb
to
6181b26
Compare
Closing in favor of #472. The beta branch should have all security issues patched now. |
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps stringstream from 0.0.5 to 0.0.6.
Commits
fee31c5
0.0.62f4a9d4
Merge pull request #9 from mhart/fix-buffer-constructor-vulnafbc744
Ensure data is not a number in Buffer constructorDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot ignore this [patch|minor|major] version
will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language