Patch v5.0.x to get rid of opencollective runtime dependency

[pinussilvestrus]

Hi 👋🏻

I saw that the inferno package replaced opencollective with opencollective-postinstall to get rid of many dependencies (cf. #1450). Due to different reasons, we are sticking to the v5.0.x version of the inferno package in our dmn-js project, so we can't receive this update since the fix is not backported to the latest v5.0.6 in this minor range.

However, we recently got notifications that projects using our libraries receive security vulnerability warnings (cf. bpmn-io/dmn-js#609). These are caused by the fact inferno@5.0.6 is still using the outdated opencollective dependency. Since we can't currently upgrade inferno to the latest versions, we would need a patched version of v5.0.x to solve this problem.

I created a branch that already backports the fix to v5.0.6: https://github.com/infernojs/inferno/compare/v5.0.6...pinussilvestrus:patch-5.0.x?expand=1

Would it be possible to release those changes under a new inferno@v5.0.x patch version? We would be very thankful if you could support us with that!

[Havunen]

Yeah, I believe that can be done :)

Btw. What is the main reason to not being able to move to v7? We have fixed many issues in the latest versions

[pinussilvestrus]

Thanks for the quick answer! Really appreciate it.

The reason we can't currently update inferno is that it would break any dmn-js extension that was built based on the current version of Inferno. dmn-js is an embeddable JS library people can use to build their own Decision Management Applications.

We don't have an easy migration path currently that would make it easier for those extensions to migrate (cf. bpmn-io/dmn-js#394)

[Havunen]

cant you update to v5.6.1 ? I don't think it makes much sense of inferno to release patch to some very old minor version? Just by browsing through release notes I dont see any breaking change between 5.0.6 - 5.6.1

[pinussilvestrus]

Would this solve the opencollective problem? I see the change was introduced with v7.1.9 earliest.

[Havunen]

I would like to release patch to 5.6.1 to fix latest v5 version of infernojs to change that dependency rather than fix some old minor version

[pinussilvestrus]

We will check whether an update to v5.6 is possible on our side and will then get back to you. Thanks a lot for your support so far!

[pinussilvestrus]

Good news 📣 We were able to upgrade our inferno version to v5.6.1 (cf. bpmn-io/dmn-js#616). So we would be very thankful if you could create a patch version for v5 with the changes I suggested above 👍 Thanks again for your support.

[Havunen]

Okay v5.6.2 is available now, without opencollective dependency. https://github.com/infernojs/inferno/releases/tag/v5.6.2
However I highly recommend to move to latest infernojs version :)

[pinussilvestrus]

Thanks a lot!