New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update dependencies #2520
Conversation
package.json
Outdated
@@ -81,6 +81,9 @@ | |||
"engines": { | |||
"node": ">=10" | |||
}, | |||
"resolutions": { | |||
"axios": "^0.21.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see we discussed this previously (#2484 (comment)), and @pmdartus suggested we only add resolutions
for severe security bugs. This one is marked as high-severity, so I think it applies.
That said, yarn why axios
says that we only have axios because of the bundlesize
plugin, which is a devDependency
. That means that none of our consumers would see this vulnerability. So personally I would prefer to not pollute our package.json
with resolutions
.
Plus, it looks like we should be able to just delete yarn.lock
and re-run yarn
to get the newest axios version, because our version of bundlesize
depends on axios@^0.21.1
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's remove "resolutions"
and find another solution, e.g. delete yarn.lock
and run yarn
or maybe yarn-audit-fix
if it works.
@nolanlawson, reverted the resolutions. ill address the axios issue in another PR. |
Details
Update dependencies.
Updates causing changes in our codebase:
Does this PR introduce breaking changes?
No, it does not introduce breaking changes.