-
-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency update #4647
Dependency update #4647
Conversation
npm audit report:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me reiterate my point from #4590 (comment):
Have you read through the changelogs of each update you are proposing carefully?
If not, this is basically just as careless as #4590
Just executing some command is not really a PR, that is just dumping work which needs fixing.
If you have a look at axios-ntlm
, they ship their breaking changes in patch releases.
Note
This took me 3.5 hours to review.
Please submit smaller PRs in smaller, thematically linked PRs in the future.
Like this, it is really not managable
@@ -82,127 +82,127 @@ | |||
"@louislam/ping": "~0.4.4-mod.1", | |||
"@louislam/sqlite3": "15.1.6", | |||
"args-parser": "~1.3.0", | |||
"axios": "~0.27.0", | |||
"axios-ntlm": "1.3.0", | |||
"axios": "~0.28.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding 0.28.0
Have you looked at if
axios/axios#4624 + axios/axios#4718 make the output different and if this is better/worse
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not looked, but better stack trace is always good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might not look good or require additional work to look decent.
Please have a look if they are displayed properly
"axios": "~0.27.0", | ||
"axios-ntlm": "1.3.0", | ||
"axios": "~0.28.1", | ||
"axios-ntlm": "1.3.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Includes Catbuttes/axios-ntlm#15 which bumps axios to 1.X
.
This likely breaks something
=> change needs to be done in step with bumping axios once migration is possible.
"axios-ntlm": "1.3.1", | |
"axios-ntlm": "1.3.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
axios-ntlm
will use its own axios, and we will still use axios 0.X
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be still to risky given what this libary does. There might be breaking changes which happened and might make this incompatible:
This is a helper library for NTLM Authentication using the Axios HTTP library on Node. It attaches interceptors to an axios instance to authenticate using NTLM for any resources that offer it.
"mqtt": "~4.3.7", | ||
"liquidjs": "^10.10.2", | ||
"mongodb": "~4.17.2", | ||
"mqtt": "~4.3.8", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4.3.8
is neither documented in the changelog nor has an associated commit tag.
=> what are we migrating to here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was not the point. I was asking what 4.3.8 is.
"@babel/eslint-parser": "^7.24.1", | ||
"@babel/preset-env": "^7.24.4", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For these dependencies is somewhat hard to audit what has changed in this bump.
How did you audit this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These dependencies had MINOR update ranges, so it is automatically downloaded. See: https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept
And we already had installed 7.23.7
in package-lock.json 4 months ago by @louislam in 8d847ab:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you are suggesting to just not search for breaking changes here?
Have you audited the changes?
"qrcode": "~1.5.0", | ||
"rollup-plugin-visualizer": "^5.6.0", | ||
"qrcode": "~1.5.3", | ||
"rollup-plugin-visualizer": "^5.12.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5.7
adds the emitFile
(default: false
) option.
We use this plugin to generate a file.
Have you checked that the file is still being generated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you checked that the file is still being generated?
Automatically bumping this in the package-lock might have been a mistake.
Yes. Only 2 packages were updated in my PR: |
Looking through the changelog is still an important part of updating. |
Tick the checkbox if you understand [x]:
Description
Fix vulnerabilities + update already installed versions in
package.json
(ncu --target patch -u
- see commit 1c0280f andncu --target semver -u
7c07f97)Type of change
Checklist
Screenshots (if any)
Before
After