Unlock dependencies

[lukeed]

All dependencies are pinned to exact versions - including postcss

This means that anyone using postcss + postcss-url today will have 2+ copies of PostCSS active in their toolchain.

[lukeed]

Realistically, postcss should be a peerDependency anyway.

This is a common problem throughout the PostCSS plugin ecosystem.

[aredridel]

Now that postcss is a peer dependency, this throws a warning; with npm 7, it becomes a hard stop. Making the peer dependency on postcss ^8.1.2 would help immensely.

[sergcen]

fixed in 10.1.0

[lukeed]

No. This is still an issue:

postcss-url/package.json

Lines 26 to 29 in 18ecf75

	"make-dir": "3.1.0",
	"mime": "2.3.1",
	"minimatch": "3.0.4",
	"xxhashjs": "0.2.1"

[realityking]

With #156 this is now much improved as it uses the ~ operator :)

[lukeed]

Improved but not solved. You should still be trusting dependencies' ability to respect semver & only introduce breaking changes in new major versions.

The changes here collect all patch updates, but still require that you/the maintainers here manually update the minor versions (even if new the features aren't used). Otherwise, this package will still be pulling in old & outdated versions of packages during npm install when the rest of the toolchain is pulling in latest copies... and this is what the issue was about.

Closing as it's an improvement.

[realityking]

@lukeed Note I’m not the maintainer - I just made that PR to get easier access to mine’s patch releases. Ultimately it’s up to @sergcen to decide what he wants to do.

[lukeed]

Right :) "you" as in if you're willing to keep opening PRs haha