-
Notifications
You must be signed in to change notification settings - Fork 682
Conversation
Updates - browser-sync - babel-core - gulp-nunjucks-render - lodash - debug and regenerates the Yarn lockfile. Drops 490 vulnerabilities (266 low, 207 moderate, 15 high, 2 critical) to 15 vulnerabilities (7 low, 2 moderate, 4 high, 2 critical). Actions run: npm install --package-lock-only npm audit npm install browser-sync@2.26.3 npm install babel-core@6.26.3 npm install gulp-nunjucks-render@2.2.2 npm install lodash@4.17.11 npm update lodash --depth 10 npm update debug --depth 9 rm yarn.lock yarn import Sticking with yarn.lock rather than switch wholesale to package-lock.json to avoid the "verbose stack TypeError: Cannot read property 'match' of undefined" npm-shrinkwrap error.
Actions run: npm install babel-preset-env npm uninstall babel-preset-es2015 rm yarn.lock yarn import
Actions run: npm uninstall gulp-watch
Upgrades: - ansi-colors - del - es6-promise - fancy-log - gulp-autoprefixer - gulp-changed - gulp-cssnano - gulp-data - gulp-htmlmin - gulp-notify - gulp-rename - gulp-replace - gulp-rev - gulp-rev-replace - gulp-sass - gulp-sequence - gulp-sizereport - gulp-sourcemaps - gulp-svgstore - node-sass-glob-importer - plugin-error - require-dir Actions run: > yarn upgrade --latest > yarn add babel-loader@"^7.1.1" > yarn add gulp@3.9.1 > yarn add webpack@"^3.4.1" > yarn add webpack-dev-middleware@"^1.12.0" > yarn add webpack-hot-middleware@"^2.18.2" > yarn add chai@"^3.5.0" -D
54b54ea
to
1dadd7c
Compare
1dadd7c
to
4bfa3f5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am the wrong person to properly review this but I did have a questions there
"babel-loader": "^7.1.1", | ||
"babel-preset-es2015": "^6.24.1", | ||
"babel-preset-env": "^1.7.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are all the babel plugins purposely not updated to their latest versions? ie. 7.x.x
I could be wrong about this but I think all the latest stuff is in the namespaced packages like @babel/core
and @babel/preset-env
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wonder if npm audit
and yarn upgrade --latest
didn't pick those up because of the namespace change. Thanks for calling it out
Primary aim of this PR is to clear out security warnings, secondary goal is to clear out other warnings. The first in several steps towards truly bringing things up to date. Will add Babel updates to the list of next steps
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the PR description to be more clear about this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sweet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Introduces breaking changes: in
task-config.js
'sjavascripts.babel.presets
,es2015
must be replaced withenv
. e.g.would become
What this PR does
npm audit
yarn upgrade --latest
What this PR doesn't do
Steps to test:
1. Dummy project
2. Existing projects
To use this update in an existing project, run
and then in task-config.js change
es2015
toenv
as explained at the top of this post.To revert your project to the latest version of Blendid run
To restore an older version of Blendid, run
yarn add blendid@<version>
oryarn add blendid@"<semver>"
. Or just discard the changes, delete the node_modules folder, and runyarn
.Changes
Where significant work was done that isn't clearly reflected in the diff, command history is included in the commit message.
Security-motivated updates
Warning resolution-motivated updates
General upkeep-motivated updates
Modernization-motivated updates: