-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update and widen dependencies #506
Conversation
53f8205
to
330def8
Compare
Ready for review :-) |
"jed": "^1.1.1", | ||
"moment": "2.29.1", | ||
"moment": "^2.29.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: put moment as Peer Dependencies and enable projects who use @nextcloud/moment
package to handle future security issues without waiting for a patch from this package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about that, too. But as far as I know, this requires npm 7 and we do not have this requirement in @nextcloud/moment
, now. Therefore, I decided to make this PR backwards compatible in order to get it released as soon as possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From NPM post @korelstar
npm versions 1, 2, and 7 will automatically install peerDependencies if they are not explicitly depended upon higher in the dependency tree. For npm versions 3 through 6, you will receive a warning that the peerDependency is not installed instead.
Of course, this will be a small breaking change but looks reasonable for me.
Lets get this in as a non-breaking change without requiring npm 7 for the peer dependencies, to get a new release out. (I'll revert #505 which I merged earlier and rather get this one in instead) |
Just released as 1.2.1, thanks for the PR @korelstar 👏 |
There are many security issues in this package's dependencies. Therefore, this PR
3.4.1
to^3.4.1
) so that Nextcloud apps are able to update dependencies on their own