chore: update dependencies #2484
Conversation
| @@ -24,45 +24,46 @@ | |||
| "release:publish:ci": "./scripts/release/publish.js", | |||
| "release:version": "./scripts/release/version.js" | |||
| }, | |||
| "//": "Currently can't upgrade TypeScript to v4.4.2 because it breaks Rollup: https://git.io/JuCcs", | |||
There was a problem hiding this comment.
"//" is a safe and encouraged way to add comments to package.json.
I felt this was appropriate because otherwise it may be confusing for the next person why we're stuck on TypeScript v4.3.5.
This will be fixed in TypeScript 4.4.3: rollup/plugins#983 (comment)
| "@types/he": "^1.1.1", | ||
| "@types/parse5": "^6.0.1" | ||
| }, | ||
| "//": "Currently can't upgrade estree-walker to v3 because it breaks karma tests due to ESM: https://git.io/JuCcq", |
There was a problem hiding this comment.
In order to upgrade estree-walker to v3 we would need to get rid of our CommonJS build output for @lwc/template-compiler. Rich-Harris/estree-walker#26
package.json
Outdated
| "node-fetch": "^2.6.1", | ||
| "systeminformation": "^5.3.1", | ||
| "xmlhttprequest-ssl": "^1.6.2" | ||
| "micromatch": "^4.0.4" |
There was a problem hiding this comment.
All of these resolutions were added to fix security vulnerabilities. The only one we still need is micromatch, which can be fixed when we update rollup-plugin-compat's dependencies.
There was a problem hiding this comment.
It should be fixed with: https://github.com/salesforce/es5-proxy-compat/commit/012991ede3f48fe7b651b07f0c41afe7012bfd2a.
As a side note, I don't see the point of using resolutions in this repo when it comes to NPM audit issues, except when it's a major security vulnerability (eg. eslint-scope). The resolutions property is only applied to this repository. It makes sense if we were shipping an application with tight dependency control, but in our case where we are shipping libraries.
There was a problem hiding this comment.
In this very particular case, it actually does work because es5-proxy-compat is a dev dependency that we bundle into @lwc/engine-core. but I agree; resolutions kind of rubs me the wrong way, unless it's for a really critical security vulnerability, and if it actually affects consumers.
I'll publish a new es5-proxy-compat so we can get rid of resolutions entirely.
There was a problem hiding this comment.
Updated all the deps and got rid of resolutions!
|
Nit: I think I might be the only one still following this convention but used to only add the package name in the parenthesis. I believe it was because we had just started experimenting with hand-written release notes and wanted to keep the description in such a format that we could easily go back to generated release notes. |
|
OK, I can remove |
nolanlawson
force-pushed
the
nolan/update-deps-202109
branch
from
491a03f
to
1fe95bc
Compare
nolanlawson
changed the title
nolanlawson
force-pushed
the
nolan/update-deps-202109
branch
from
1fe95bc
to
a356a6a
Compare
nolanlawson
force-pushed
the
nolan/update-deps-202109
branch
from
a356a6a
to
103c35b
Compare
nolanlawson
force-pushed
the
nolan/update-deps-202109
branch
from
103c35b
to
d301242
Compare
|
Looks like a true failure, will investigate... |
|
Found what appears to be a bug in WebDriverIO: webdriverio/webdriverio#7405 We can work around it temporarily by using |
Details
Our regularly-scheduled dependency bump.
yarn auditis now at 0 vulnerabilities. πDoes this PR introduce breaking changes?
No, it does not introduce breaking changes.