-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps/security): upgrade to latest stable #4458
Conversation
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about the netlify/mocha/deploy-preview check. Tells me:
Netlify failed caused by an opencollective issue.
OpenCollective had internal server errors for some avatar images. It seems OC fixed the issue. |
Thanks for this fast PR!!! Note: There is a breaking change inside! https://github.com/yargs/yargs-unparser/releases/tag/v2.0.0 We need the mocha fix for our https://www.npmjs.com/package/@leanup/cli#dependencies. |
It's not breaking, as mocha already dropped these node versions. |
need to run this against all browsers...sigh. |
@boneskull correct me if I'm wrong, but the failures I'm seeing don't seem to relate to the upgrades. does |
rebased to current |
This comment has been minimized.
This comment has been minimized.
Pushed another commit which reduces the audit failures to: |
this does not include |
this now has conflicts |
I think you just need to rebase to get the workerpool update |
will rebase |
@boneskull any idea if the flakiness related to the workerpool/parallel test changes? |
yeah failure is related to that, but unsure what's wrong. haven't had it fail before! could be something in the lockfile or the github actions cache... or just windows flake or windows flake on a specific node version (again, which hasn't surfaced). we need to be certain the failure is unrelated though. I can't view the diff of the lockfile on my phone, maybe you can diff the workerpool subtree with what's in |
subtree meaning in the lockfile not on disk |
I checked the lockfile. both |
- replace `rollup-plugin-node-builtins` with `rollup-plugin-node-polyfills`, as former causes audit failures and latter seems just a bit* more maintained. - regenerate lock file
rebased to |
Failure did not occur post rebase. |
I hope this is not the start of consistent flake. anyway, ty |
Description of the Change
rollup-plugin-node-builtins
withrollup-plugin-node-polyfills
, as former causes audit failures and latter seems just a bit* more maintained.Alternate Designs
Consider using
dependabot
orrenovate
to automatically open PRs for updates.Why should this be in core?
To resolve consumer deprecation messages when installing mocha:
warning mocha > yargs-unparser > [email protected]: Fixed a prototype pollution security issue in 4.1.0, please upgrade to ^4.1.1 or ^5.0.1.
To reduce the number of repo audit failures from:
found 51 vulnerabilities (5 low, 2 moderate, 44 high) in 2841 scanned packages
to:
found 3 low severity vulnerabilities in 2629 scanned packages
Benefits
Better deduping for the other packages.
Possible Drawbacks
None that I'm aware.
Applicable issues
closes #4410