New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): bump foundation-sites from 5.5.2 to 6.7.5 #11314
Conversation
@jibees Do you know what we use this for? |
794e370
to
dd1a81d
Compare
Bumps [foundation-sites](https://github.com/foundation/foundation-sites) from 5.5.2 to 6.7.5. - [Release notes](https://github.com/foundation/foundation-sites/releases) - [Commits](foundation/foundation-sites@v5.5.2...v6.7.5) --- updated-dependencies: - dependency-name: foundation-sites dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dd1a81d
to
1891a8c
Compare
I tried removing it and found that we're using JS and SCSS for features such as "topbar" and "panel", and probably more. This is a major upgrade. In fact, I've found that Foundation never provided a migration path from v5 -> v6, and it doesn't sound easy according to this post:
So.. we'd need to plan to remove/upgrade/replace it. Or can we do nothing? Given that this includes Javascript, and it's a common library, it's possible that we could become a target for any vulnerabilities. Looks like there are two known: https://security.snyk.io/package/npm/foundation-sites
So we could at least fix one of them by upgrading to v5.5.3, the last before v6. I'll see if that one's easy at least. |
v5.5.3 looks like an easy upgrade. But what to do about the existing vulnerability? Ok, so does it actually affect us? I don't think so. Introduced in this commit, we can see it's inside the So if we're not affected, can we stay on v5.5.2 for now? I think so. Sound ok to you @mkllnk ? |
Sure. Let's just keep it as is. We will replace it one day... |
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps foundation-sites from 5.5.2 to 6.7.5.
Release notes
Sourced from foundation-sites's releases.
... (truncated)
Commits
f3267f2
Merge branch 'release/v6.7.5'fc7065c
build: 6.7.5 dist build794bc76
build: cleanup dist before deploydfe2196
chore: update version stringf56b26e
docs: remove some more ZURB33e3c57
chore: update caniuse140132e
docs: remove bower from install tips7c5c44f
docs: fixed homepagee6ed962
fix: updated sass map syntaxb646833
docs: remove foundation-cli from docsMaintainer changes
This version was pushed to npm by joeworkman, a new releaser for foundation-sites since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)