chore/bump d3 interpolate and scale-chromatic #2395
Conversation
These both upgrade w/o breaking changes, and both drag in the vulnerable version of d3-color when not upgraded, at least for package managers like pnpm that isolate modules w/o deduping them.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
seems we are on different versions of pnpm w/ slightly different lockfile versions, and this wanted to drag with it a number of minor updates to a number of things. Perhaps the pnpm lockfile needs to be handled differently? I have pnpm version 7.18.1, locally. Can chat with other devs in the org about upgrading, probably, if we are behind (I know they are up to 8.something.) |
|
What's the status of this? This package now causes vulnerability warnings: GHSA-36jr-mh4h-2g58 |
|
I'd also like to hear the status on this, would LOVE to have this vulnerability squashed |
|
I need help on correct node + pnpm versions for updating pnpm-lock.yaml. Otherwise it just needs approval from a maintainer. |
@plouc Any help on this would be appreciated for @ollwenjones question :) |
|
The critical "work" here was the reading of the d3 changelogs to make sure updates were safe, and udpating package.json. Anyone could check out this branch, run this, and if your pnpm version was correct, builds should pass. If you get it passing on a different PR, we can close mine in favor of yours 😄 |
|
@ollwenjones, sorry for the late reply and thank you for checking the changelogs 🙏🏻 I've created a new PR for this. |
These both upgrade w/o breaking changes, (I checked changelogs and saw only new features and bug fixes), and both drag in the vulnerable version of d3-color when not upgraded, at least for package managers like pnpm that isolate modules w/o deduping them.