Backport Fix carrier return parsing to v7
#1890
Conversation
|
Last time I spend half of the day backporting security fix. It is time to move to 8.x or donate enough and ask me as a project sponsor. |
|
Unfortunately, we have 80 dependencies in our lockfile that depend on I see 30 million downloads of v7 in the past week, which is almost half the total downloads, so I assume others will appreciate the backport. |
|
Maybe lack of security update will be the push for the community? Right now I need to spend more resources supporting very old plugins. |
|
I don't think it would be reasonable to backport to v6 or v5, even though they still get a few million downloads per week; however, v7 seems to be heavily used and may not be old enough to be considered very old just yet. |
|
PostCSS 7 is 3 years old. Even Node.js doesn’t suggest so long support. |
smth like old version of |
If I bump a bunch of packages, it reduces the number of v7 resolutions significantly; however, there are some dependency paths that still include v7:
|
|
Oh, CRA is a pain... Storybook can be updated, but not so easy with CRA |
|
@ai Given that Storybook and CRA still depend on v7, do we feel any different about this backport? |
|
We should spend this energy to migrate Storybook rather than backport fixes. Storybook migration will reduce maintance costs for me. Backporting fix will force me to backport fixes again and again in the future. Only big sponsor request of backport will change my mind. Open source should be fun. If it looks like job, it should be paid. |
What does this mean, exactly? I can see if my company would make a donation for this backport, but I have no idea how or how much. |
Any “Sponsorship …” badge from PostCSS’ OpenCollective. |
|
I am closing this, for now. We can reopen it later, if there's interest. |
This PR backports 58cc860, which fixes CVE-2023-44270, to v7.