Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump minimatch from 3.0.4 to 3.1.2 #180

Merged
merged 1 commit into from
Nov 1, 2022
Merged

Bump minimatch from 3.0.4 to 3.1.2 #180

merged 1 commit into from
Nov 1, 2022

Conversation

kachkaev
Copy link
Contributor

Closes #179

@kachkaev kachkaev changed the title Update minimatch from 3.0.4 to 3.1.2 Bump minimatch from 3.0.4 to 3.1.2 Oct 21, 2022
@aloisklink
Copy link

This also closes #165

Maintainers, is it possible to instead use caret ranges, e.g. ^3.1.2 instead of pinning dependencies?

That way, if there is a security vulnerability in this package (or in serve), you guys don't need to manually update this package.

@kachkaev
Copy link
Contributor Author

kachkaev commented Oct 25, 2022

As far as I understand, Vercel folks prefer pinning dependencies in their products. Here is Next.js, for example:
package.json#L76-L83 (caniuse-lite is an exception because it tracks recent browser releases).

This way they save their users from accidental upstream breaking changes within a semver range. Not sure this approach can be revisited easily, so I doubt we’ll be able to introduce ^ or ~ in this PR 😅

@imki123
Copy link

imki123 commented Oct 26, 2022

I need to merge this PR.

@bnussman
Copy link

@vercel, can you give this PR some attention? 🥺

Copy link
Contributor

@AndyBitz AndyBitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening the issue and providing a PR 🥇

@AndyBitz AndyBitz merged commit 1ea1a9c into vercel:master Nov 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vulnerability in minimatch 3.0.4
5 participants