-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vendored dependencies #14373
Update vendored dependencies #14373
Conversation
@@ -12,7 +12,6 @@ crystal: ">= 1.0" | |||
dependencies: | |||
markd: | |||
github: icyleaf/markd | |||
commit: 5e5a75d13bfdc615f04cc7ab166ee279b3b996d3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest using commit pinning for security, like for the other dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code is checked into the repository, and the commit pinned in shard.lock
.
A version restriction here is just relevant when you run shards update
. And at this point there is no technical reason to restrict that. The latest release will do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New releases can include breaking changes, so keeping it unrestricted might break the builds after running shards update
. Since the code is checked into the repo, that's not a big issue, just noting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but if you don't try, you could never know. If we realize a compatibility issue, we can add an appropriate restriction.
Update the vendored-in dependencies to the latest releases:
reply
is still missing a release with the latest changes, so we keep the reference to the latest commit in master.Follow-up to #14365