Update dependencies (fix npm audit failures); fix tests; update Travis build
#169
Conversation
|
|
cjbarth
force-pushed
the
master
branch
2 times, most recently
from
0f225b4
to
ba623b3
Compare
cjbarth
changed the title
npm audit failures); fix tests; update Travis build
|
@XhmikosR I wanted to ping you specifically on this PR because of your recent involvement with this project. This PR addresses a critical security vulnerability found in this package and I'd like to get some eyes on it. If you are the wrong person, might you suggest someone who I could get to help with this matter? |
|
Well, the PR has unrelated changes in it. Also, 4.3.3 might not be the latest handlebars-lang/handlebars.js#1563 (comment) So, just revert your changes and update only the needed stuff. |
|
If you are talking about JSCS being unrelated, that is actually part of the problem. That is no longer maintained and eslint is the replacement. To get this package to clear |
|
It does occur to me that with updating semver major versions of dependencies, perhaps this package should get a semver major bump too. Please let me know your thoughts. |
|
I can't review a PR with so many unrelated changes in it. |
|
Ok, let's start this way; I'll make a different PR that just get's the build working again, so those will be a separate PR. I can't get anything to pass Travis without that working. |
|
First of all there's a procedure for things. We have https://github.com/gruntjs/grunt-contrib-internal for some common stuff. JSCS I don't care about it personally and I would just drop it until we have a proper ESLint solution in the https://github.com/gruntjs/grunt-contrib-internal repo. So, wait until gruntjs/grunt-contrib-internal#40 is solved. The handlebars update can still be applied with npm audit. |
|
Thank you for pointing me to that. I will try to incorporate that in here so we can leverage the common stuff with this grunt-contrib too. Thank you. |
|
I removed jscss in master. Please rebase and only keep the handlebars update + the test files. |
| "chalk": "^1.0.0", | ||
| "handlebars": "^4.3.1", |
There was a problem hiding this comment.
This should be 4.3.3 at the time of writing
|
I went ahead and made #171, which updates everything and drops support for Node.js < 8.x. It will be a major version bump due to this. |
This package had insecure and deprecated dependencies. This PR corrects that and fixes the test to keep working. One test (the Node module test) had to be disabled because I couldn't get it working across all versions of Node. I'm open to suggestions on that. Otherwise, perhaps we can land this and iterate on that as this package is causing
npm auditfailures for projects the depend on it.