Patial fix for issue #394 vulnerabilities in dependencies reported by npm audit#396
Closed
BePo65 wants to merge 13 commits intobahmutov:masterfrom
Closed
Patial fix for issue #394 vulnerabilities in dependencies reported by npm audit#396BePo65 wants to merge 13 commits intobahmutov:masterfrom
BePo65 wants to merge 13 commits intobahmutov:masterfrom
Conversation
Running 'pretty' results in some minor formatting changes (space after function keyword is missing); running 'standard' will fix this. See also discussion in issue standard/standard#1949.
semantic-release v20 is an esm-only package; requires node >=v18 semantic-release >=v21 would require node>=20 Updated github ci workflow to run tests on node v18, 20, 22
Replaces backtick with tick where applicable
Chai is only v4, as v5 is esm only sinon-chai is v3, as v4 requires chai v4
All versions >=6 are esm only
Owner
|
Hello, thanks for the PR, could you update it against the master branch |
Collaborator
|
I now have Collaborator access to this repo and I would like to address the outdated dependencies at some stage, probably taking each dependency separately for better transparency and review. The first priority though is to get Windows support back on track, removing the dependency on WMIC. |
Collaborator
|
Since this PR is now more than 1 year old and now has many conflicts, I'm closing it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To remove the long list of vulnerabilities you get when updating packages in
start-server-and-testI tried to update all used (dev-) Dependencies to the latest version. Some packages cannot be updated, because that would require to switch to esm-only format or requires a node version higher than V18 (which is the latest supported version and in maintenance mode by now).Updating the packages reduces the list of vulnerabilities from
to
Not so bad, but far from perfect. It shows that some of the used packages have not been maintained for some years now.
Things I stumbled over during the updates:
Is it worth merging this pr? To be true, I am not completely convinced.