-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
updated dependency of semver to the latest version #8859
updated dependency of semver to the latest version #8859
Conversation
@fschaeffler: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Meteor Contributor Agreement here: https://contribute.meteor.com/ |
Looking at the commit history I'm fairly sure we can go all the way to |
@abernix In order to prevent possible side-effects, I did update the package only up until to first version, when the issue got fixed. But you're right, an update to 5.3.0 does make sense. So I'll update the PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @fschaeffler, looks good! We're almost LGTM here - we just need to generate and publish a new dev bundle version, and see the tests all pass with that new version, then we'll be good to go ( 👋 MDG 🙂 ).
@hwillson are there any further steps needed from my side for the publish of a new dev bundle version? As this is my first PR into https://github.com/meteor/meteor, I'm not sure what steps are all needed for this to happen. |
No, nothing else is required on your side - the next steps have to be handled by MDG staff (see Submitting "Dev Bundle" Pull Requests for more details). Thanks for asking! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't had a chance to look into it, but I think we need to actually look at the reasoning behind semver410.js
(added in 259f90b) before merging this.
Wow, good catch @abernix! Here are the only differences between // <METEOR>
// Fool the module system detection code below so that it doesn't
// do anything special.
var exports = SemVer, module = {}, define = {};
// Create a package-private variable. Can't use SemVer because
// of the code that says `function SemVer(...)` below (implicitly
// declaring a var). Can't use "semver" because that's a var in
// package-version-parser.js.
SemVer410 = SemVer;
// </METEOR> So it looks like at one point it was necessary to override A lot has changed since this code was put in place, so we should (fingers crossed) be able to adjust things such that the |
Also removed the underscore dependency while I was at it. cc @abernix @hwillson @fschaeffler Prerequisite for #8859.
Quick update here - once #8914 has been merged, we should be all set to continue with this PR. |
Also removed the underscore dependency while I was at it. cc @abernix @hwillson @fschaeffler Prerequisite for #8859.
Also removed the underscore dependency while I was at it. cc @abernix @hwillson @fschaeffler Prerequisite for #8859.
Also removed the underscore dependency while I was at it. cc @abernix @hwillson @fschaeffler Prerequisite for #8859.
The currently used version of semver does have a medium-level security issue. Therefore, the dependencies of
meteor-dev-bundle
had been updated.