Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: 2020/03 npm update dependencies #46

Merged

Conversation

yumetodo
Copy link
Contributor

@yumetodo yumetodo commented Mar 18, 2020

update too many dependencies

  • eslinter is outdated. Currently, eslint has an option to cache. so we use eslint directly.
  • apply eslint-plugin-mocha
  • esbeautifier is outdated. Prettier is a famous tool to format. Apply Prettier.
  • apply npm audit fix(1 vulnerability required manual review and could not be updated)
  • breaking change: drop support node.js < 10 in develop
  • breaking change: update write to 2.0.0 to avoid minimist's vulnerability (See Update minimist to 1.2.3 or later #47 and changelog for detail)

@diegoh
Copy link

diegoh commented Mar 30, 2020

Hey @yumetodo,
Do you reckon this need a major version bump given that it isn't backwards compatible?
Just to be on the safe side. There might be other packages that depend on flat-cache running deprecated versions of node that would break.

@yumetodo
Copy link
Contributor Author

Yes.

I just now noticed that write request node>=10.
jonschlinkert/write@e996f21
This is breaking change.

So, Major version bump is required to follow Semantic Versioning 2.0 spec.

@diegoh
Copy link

diegoh commented Mar 30, 2020

Hey @royriojas, a gentle reminder of this PR, do you think this could be reviewed? Still needs a major bump, just putting it in your radar.

mocha > mkdirp is updated
istanble >>> optimist > minimist is not updated
@yumetodo
Copy link
Contributor Author

yumetodo commented Mar 30, 2020

BTW, you should stop using istanbul. it is no longer maintained. optimist is deprecated and not maintained.
https://github.com/substack/node-optimist/issues/152

$npm ls minimist
flat-cache@2.0.1 C:\msys64\home\yumetodo\flat-cache
+-- eslint@6.8.0
| `-- mkdirp@0.5.4
|   `-- minimist@1.2.5
+-- istanbul@0.4.5
| `-- handlebars@4.7.3
|   `-- optimist@0.6.1
|     `-- minimist@0.0.10
`-- mocha@7.1.1
  `-- mkdirp@0.5.3
    `-- minimist@1.2.5

edit: I noticed that handlebars 4.x develop is still continued. watch handlebars-lang/handlebars.js#1666

@yumetodo
Copy link
Contributor Author

yumetodo commented Mar 30, 2020

reduced vulnerability report to only 1!

$npm audit

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Low             Prototype Pollution                                           

  Package         minimist                                                      

  Patched in      >=0.2.1 <1.0.0 || >=1.2.3                                     

  Dependency of   istanbul [dev]                                                

  Path            istanbul > handlebars > optimist > minimist                   

  More info       https://npmjs.com/advisories/1179                             

found 1 low severity vulnerability in 818 scanned packages
  1 vulnerability requires manual review. See the full report for details.

@SuperITMan
Copy link

This seems really nice! Thanks for your work 👍
Small detail but since we are talking about breaking changes and major version for next release, maybe you could change the engines in the "package.json". See: https://docs.npmjs.com/files/package.json#engines

I suggest to change this for:

"engines": {
  "node": ">=10"
}

What do you think @yumetodo ?

Let's hope @royriojas will have the occasion to check and merge this PR and do a new release 😊

@royriojas
Copy link
Contributor

hey @SuperITMan

Sorry I didn't had time these days to review this changes. I will review later today

@yumetodo
Copy link
Contributor Author

About write update:

In this project, write.sync is an only use case and it was not changed by write's major update.

@SuperITMan
Copy link

Hey @royriojas
Would you have a moment to have a look on this PR and maybe merge it + release a new version of flat-cache and flat-entry-cache ? 🤞

Thanks for your time 😊

@royriojas royriojas merged commit f3235a6 into jaredwray:master Nov 8, 2020
@yumetodo yumetodo deleted the fix/202003_npm_update_dependencies branch December 2, 2020 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants