Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use version ranges in dependencies? #590

Open
DullReferenceException opened this issue May 12, 2020 · 1 comment
Open

Use version ranges in dependencies? #590

DullReferenceException opened this issue May 12, 2020 · 1 comment
Labels
triaged

Comments

@DullReferenceException
Copy link

I notice that the dependencies for standard-version are all fixed (no ^ or ~ for example). This makes it impossible to get the version bump in conventional-changelog, which fixes a CVE.

Could the standard-version dependencies be updated to use something like ^ so that upgrades and de-duplication of transitive dependencies is possible? If you object to this approach, could we at least get a new release of standard-version with conventional-changelog version bumped?
jbottigliero pushed a commit that referenced this issue Jul 11, 2020
chore: Allow semver ranges for non-devDependencies – renovate-bot sho…
9d02168 
…uld no longer force the change.

Updates Renovate configuration to use "config:js-lib" (https://docs.renovatebot.com/presets-config/#configjs-lib), this introduces the ":pinOnlyDevDependencies" configuration.

see: #590
@jbottigliero jbottigliero mentioned this issue Jul 11, 2020
Closed
@jbottigliero
Copy link
Member

We've moved to allow semver ranges on a number of dependencies via #615 – we'll be working to unpin more as we phase our support of NodeJS@8 (#612, #618).

8.0.1 was published ~6 hours ago which includes updates to conventional-changelog (#592).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbottigliero @DullReferenceException