missing dependency tracking

[duncdrum]

I enabled js dependency checking by dependabot, to stay ahead of security and update warnings when running npm install

npm WARN deprecated bower@1.8.4: We don't recommend using Bower for new projects. Please consider Yarn and Webpack or Parcel. You can read how to migrate legacy project here: https://bower.io/blog/2017/how-to-migrate-away-from-bower/
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
[…]
found 9 vulnerabilities (1 low, 4 moderate, 4 high)

let's see how it goes, next up travis CI?

[JoernT]

@duncdrum i'm not sure if that is helpful. At least it generates a lot of 'see i'm very important' messages about updates and so on that in turn force work that i actually would do 2 times a year at most.

Remember: the messages are all related to development dependencies and have nothing to do with runtime of an eXist-db app. For me it's not at all a problem if these tools are not the latest and greatest. In contrast you sometimes have to careful to update and otherwise would break things. At least such updates are not no-brainers. You have to test if the chain still works.

Consider e.g. this bower message above - i know that it's kind of deprecated for quite some time. Nevertheless thousands of projects (and web components) still rely on it so a shift is way too early. This is the kind of over-reactive housekeeping that generates work without much of an improvement.

[duncdrum]

@JoernT I much prefer frequent small updates to let me see if and where stuff breaks, over having a biannual update bonanza. From the end user's perspective not having a bunch of see i m very important messages when they first run a project is kind of why i activated the bot in the first place.

You have to test if the chain still works.

Yes !

As for bower being end-of-life, exist sure picked an odd time to jump on the wagon, but I not concerned about it. I switched to webpack in my own projects a while ago.

[JoernT]

we didn't choose to but Polymer and thousands of components are still on bower. It's not going to vanish tomorrow just because there's a new hype. So bower is kind of inherited and we don't make our life easier by upgrading it now. That's going to come when we move to Polymer3 one day.

Regarding updates: quite the contrast here. I've seen 'small' updates break the whole stuff too often. The more often you update it the more often you'll have to fix it. Remember: these are for the dev tools and not for something runtime relevant (here i would probably argue differently). Nodejs is always a bit flaky regarding updates in my experience. Deep version changes quite easily occur and break your chain. So i prefer to be more conservative here.