Update dependencies #1330
Comments
|
@joshbruce I actually sent a private message about this. We have a solution...GitHub tracks dependencies and shows a notification for these vulnerabilities.
In this case, it looks like @UziTech already forked the unmaintained repo as we discussed. The fork can be found here: https://github.com/markedjs/html-differ |
|
@styfle: Yeah. I was thinking a way to be a bit more proactive about it and go beyond just security vulnerabilities. Make sure we're using the latest versions. Maybe even check if there's a replacement library that does something better. That sort of thing. Don't want to force it or create more work for us, of course. |
|
If you just want some indicator that dependencies are out of date, we could add a badge that checks for this. |
|
That wouldn't be a bad thing to add to the readme. I think not having any regular dependencies is one of the benefits of marked. |
|
I created PR #1333 |
What pain point are you perceiving?.
Security vulnerability due to
devDependenciesinpackage.json. It's onlodash, which is most likely the dependency of a dependency. While this doesn't negatively effect our users it might cause problems with automatic tracking databases that don't distinguish between dependencies (which Marked has none) and devDependencies (which Marked has a few).Describe the solution you'd like
Some type of dependency check protocol we can perform. Maybe on a somewhat rotating basis so one of us doesn't get stuck doing it all the time. Something captured in the contributing documentation; who knows, maybe someone from the community would be willing to step up to make sure we're up to date and whatnot...just spitballing.
The text was updated successfully, but these errors were encountered: