update and widen dependencies #506
Conversation
korelstar
force-pushed
the
dependencies
branch
2 times, most recently
from
53f8205
to
330def8
Compare
|
Ready for review :-) |
| "jed": "^1.1.1", | ||
| "moment": "2.29.1", | ||
| "moment": "^2.29.2", |
There was a problem hiding this comment.
Suggestion: put moment as Peer Dependencies and enable projects who use @nextcloud/moment package to handle future security issues without waiting for a patch from this package.
There was a problem hiding this comment.
I thought about that, too. But as far as I know, this requires npm 7 and we do not have this requirement in @nextcloud/moment, now. Therefore, I decided to make this PR backwards compatible in order to get it released as soon as possible.
There was a problem hiding this comment.
From NPM post @korelstar
npm versions 1, 2, and 7 will automatically install peerDependencies if they are not explicitly depended upon higher in the dependency tree. For npm versions 3 through 6, you will receive a warning that the peerDependency is not installed instead.
Of course, this will be a small breaking change but looks reasonable for me.
|
Lets get this in as a non-breaking change without requiring npm 7 for the peer dependencies, to get a new release out. (I'll revert #505 which I merged earlier and rather get this one in instead) |
|
Just released as 1.2.1, thanks for the PR @korelstar 👏 |
There are many security issues in this package's dependencies. Therefore, this PR
3.4.1to^3.4.1) so that Nextcloud apps are able to update dependencies on their own