Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change lodash to caret semver range #8032

Closed
wants to merge 2 commits into from
Closed

Change lodash to caret semver range #8032

wants to merge 2 commits into from

Conversation

karlhorky
Copy link
Contributor

@karlhorky karlhorky commented Jul 20, 2020
edited by sync-by-unito bot
Loading

User facing changelog

Change lodash to use caret semver range due to frequent security issues.

Additional details

This allows consumers to update lodash versions to address security issues without using special tools like Yarn Resolutions or npm overrides. Since lodash is a volatile package in regards to security updates, this seems like a good tradeoff to make.

This changes the Renovate configuration originally specified by @bahmutov in #2992

Renovate rangeStrategy Docs:
https://docs.renovatebot.com/configuration-options/#rangestrategy

How has the user experience changed?

  • Users can update lodash without updating cypress
  • Bots such as Dependabot can do this automatically

PR Tasks

None applicable.

┆Issue is synchronized with this Jira Features by Unito

karlhorky added 2 commits July 20, 2020 10:50
@karlhorky
Change rangeStrategy to bump
4f94bbc 
To allow for ranges on volatile packages like lodash.

Changes default specified in #2992

Renovate Docs:
https://docs.renovatebot.com/configuration-options/#rangestrategy
@karlhorky
Unpin lodash version
bfc1005 
This allows consumers to update `lodash` versions to address security issues without using special tools like Yarn Resolutions or npm overrides. Since lodash is a volatile package in regards to security updates, this seems like a good tradeoff to make.
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jul 20, 2020

Thanks for taking the time to open a PR!

@karlhorky karlhorky changed the title Patch 1 Change lodash to carat semver range Jul 20, 2020
@karlhorky karlhorky changed the title Change lodash to carat semver range Change lodash to caret semver range Jul 20, 2020
jennifer-shehane
jennifer-shehane requested changes Jul 20, 2020
View reviewed changes
Copy link
Member

@jennifer-shehane jennifer-shehane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As noted before, will have to bring this up to discuss with the team, if we want to change this strategy. #7921 (comment)

@karlhorky
Copy link
Contributor Author

karlhorky commented Jul 20, 2020
edited
Loading

Ok, I suspected this may be something going in the "strategy discussion" direction.

To provide an example for the discussion, here wp-calypso has a lodash pull request with mergeStrategy: 'bump':

Automattic/wp-calypso#43928

karlhorky added a commit to upleveled/next-js-example-may-2020 that referenced this pull request Jul 20, 2020
@karlhorky
Add resolution to address lodash security vuln
3e563cf 
cypress pins lodash version: cypress-io/cypress#8032
@jennifer-shehane
Copy link
Member

@karlhorky Our team has decided that this is a change we would like to make. The body of work is a bit larger than is covered here in this PR, since there are some stickier things with version control going on when we build the binary. So, I've created a new issue to outline the work necessary. #8046 We'll have a new PR to address the full changes, so I'll be closing this one.

Thanks for bringing this up! I think it helped get the ball rolling on things.

@karlhorky
Copy link
Contributor Author

Thanks for the update @jennifer-shehane, sounds good. Glad to help :)

@karlhorky karlhorky deleted the patch-1 branch July 21, 2020 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@karlhorky @jennifer-shehane