Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update lodash, mocha away from vulnerable versions #175

Merged
merged 2 commits into from Oct 25, 2018
Merged

chore(deps): update lodash, mocha away from vulnerable versions #175

merged 2 commits into from Oct 25, 2018

Conversation

Stephanemw
Copy link
Contributor

Why

What

  • Upgraded lodash to tree-shakeable 4.17.11
  • Updated lodash requires from lodash.xxx to lodash/xxx
  • Updated tslint to whitelist lodash submodules
  • Upgraded mocha to ^5.2.0
  • Updated npm test script to add --exit mocha option (to prevent hanging, as per docs, this was a breaking change from 3 -> 4+)
  • Updated tsconfig to add es2016 lib for Map and Set

@Stephanemw
chore(deps): update lodash, mocha away from vulnerable versions, fix …
ea83469 
…associated code and npm scripts, update tslint config
@johnnyreilly
Copy link
Member

johnnyreilly commented Oct 25, 2018
edited

Thanks for this! A couple of questions:

Updated tsconfig to add es2016 lib for Map and Set

Map and Set are part of es2015 I believe. Would it make more sense to just change es2015.core to es2015 and drop es2016?

@Stephanemw
Copy link
Contributor Author

Thanks for this! A couple of questions:

Updated tsconfig to add es2016 lib for Map and Set

Map and Set are part of es2015 I believe. Would it make more sense to just change es2015.core to es2015 and drop es2016?

Works for me - patch updated 😄

@johnnyreilly
Copy link
Member

Awesome!

Regarding the switch to using lodash full rather than submodules... I'm curious to know whether using submodules directly is no longer possible or if it's just that you prefer this approach?

Ultimately it doesn't matter too much I suspect as fork-ts-checker-webpack-plugin should only ever be a devDependency. Nevertheless I'm curious

@Stephanemw
Copy link
Contributor Author

Stephanemw commented Oct 25, 2018
edited

I think this is the direction the lodash maintainers have taken, in fact in v5 I understand they'll remove submodules entirely (everything will import from the root namespace) and depend on babel and webpack wizardry.

If the CVE hadn't been raised, I think most folk would have happily left things as they were - as it stands, those packages are used in so MANY places, it's quite daunting... and I'm just helping update packages I depend on, there's thousands of projects out there.

@johnnyreilly
Copy link
Member

Great - works for me! Thanks for doing this!

@johnnyreilly johnnyreilly merged commit 79ce006 into TypeStrong:master Oct 25, 2018
@johnnyreilly johnnyreilly mentioned this pull request Oct 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Stephanemw @johnnyreilly