Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(package): bump package and package-lock #1636

Merged
merged 2 commits into from Jan 18, 2022
Merged

build(package): bump package and package-lock #1636

merged 2 commits into from Jan 18, 2022

Conversation

jetersen
Copy link
Contributor

hbs depends on handlebars which had a vulnerability of critical severity

bumped typedocs as it was not compatible with the typescript version defined in dev dependencies.

package-lock had a version reference to ansi-regex v4.0.1 which had a vulnerability of moderate severity.

@jetersen jetersen requested a review from a team as a code owner January 17, 2022 07:31
@welcome
Copy link

welcome bot commented Jan 17, 2022

Thanks for opening this pull request! A contributor should be by to give feedback soon. In the meantime, please check out the contributing guidelines and explore other ways you can get involved.

@jetersen jetersen changed the title bump package and package-lock build(package): bump package and package-lock Jan 17, 2022
@jetersen
Copy link
Contributor Author

tests are passing locally

@gr2m gr2m merged commit a85c7a6 into probot:master Jan 18, 2022
@welcome
Copy link

welcome bot commented Jan 18, 2022

Thanks for your contribution to probot! 🎉
Congrats!

@gr2m
Copy link
Contributor

gr2m commented Jan 18, 2022

Thank you Joseph :)

@jetersen
Copy link
Contributor Author

jetersen commented Jan 18, 2022
edited

Thank you @gr2m ❤️

@jetersen jetersen deleted the fix/packages branch January 18, 2022 23:04
@jetersen
Copy link
Contributor Author

I guess this should have been a fix commit to get a release 😢

@jetersen jetersen mentioned this pull request Jan 19, 2022
Merged
@github-actions
Copy link

🎉 This PR is included in version 12.2.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@gr2m
Copy link
Contributor

gr2m commented Jan 19, 2022

You should have been able to re-create your lock file and update dependencies get the latest version of hbs without a new Probot version needed, but I don't mind releasing out anyway in this case.

@jetersen
Copy link
Contributor Author

jetersen commented Jan 19, 2022
edited

Not according to dependabot or npm audit fix

on release drafter:

 Dependabot cannot update handlebars to a non-vulnerable version
The latest possible version that can be installed is 4.7.6 because of the following conflicting dependencies:

@probot/adapter-github-actions@3.1.0 requires handlebars@4.7.6 via a transitive dependency on hbs@4.1.1
probot@12.2.0 requires handlebars@4.7.6 via hbs@4.1.1
The earliest fixed version is 4.7.7.

same for ansi-regex:

Dependabot cannot update ansi-regex to a non-vulnerable version
The latest possible version that can be installed is 4.1.0 because of the following conflicting dependencies:

@probot/adapter-github-actions@3.1.0 requires ansi-regex@^4.1.0 via a transitive dependency on strip-ansi@5.2.0
probot@12.2.0 requires ansi-regex@^4.1.0 via a transitive dependency on strip-ansi@5.2.0
lint-staged@12.1.7 requires ansi-regex@^6.0.1 via a transitive dependency on strip-ansi@7.0.1
nodemon@2.0.15 requires ansi-regex@^4.1.0 via a transitive dependency on strip-ansi@5.2.0
The earliest fixed version is 5.0.1.

@jetersen
Copy link
Contributor Author

Note that probot uses locked version for handlebars/hbs. No usage of ^

@gr2m
Copy link
Contributor

gr2m commented Jan 19, 2022

Oh I see, thank you for the clarification

@johnperez416 johnperez416 mentioned this pull request Nov 16, 2022
Closed
@snyk-bot snyk-bot mentioned this pull request Jan 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gr2m gr2m gr2m approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jetersen @gr2m