fix: better handling of whitespace #564
Conversation
lukekarrys
force-pushed
the
lk/whitespace
branch
3 times, most recently
from
0dcb021
to
fc08341
Compare
lukekarrys
force-pushed
the
lk/whitespace
branch
from
fc08341
to
b6db78d
Compare
|
Snyk reported that this PR fixed a vulnerability in semver 7.5.1: https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 According to Snyk, it looks like semver 5.7.1 has the same issue. It seems a lot of packages still depend on semver 5.x. Is there any chance of applying this fix in a 5.7.2 release as well? (I looked but I didn't see a 5.x branch in this repo) |
|
@lukekarrys @wraithgar |
|
At this time, seeing as how v5/6 is a single 1400+ line file with outdated testing deps and no working CI we do not have plans to backport this. |
|
@wraithgar, while I totally side with you on this, it's much more difficult to bulk upgrade semver to v7 across deep dependency trees of even medium side projects. We have 10+ usages of it just in microsoft/vscode. This is a compliment: semver is very popular and its usage is widespread. We thank you for this library! ❤️ That being said, we like to put our commits where our mouth is. I've backported the fix to v5: https://github.com/npm/node-semver/compare/v5.7.1...joaomoreno:joao/backport-564-to-v5?expand=1. I've also fixed the test suites and added the relevant test cases, all green: https://asciinema.org/a/593286. I hope you can consider this for releasing an eventual 5.7.2 version, given your review. If successful, I would gladly backport the same fix to v6. I can't quite create a PR, since there's no v5 branch to upstream against. If you'd like to roll this forward, let's create a v5 branch and we'll create a PR from my ref. |
|
That would be amazing; semver v7's dropping of node versions means i'm stuck on v6 for basically ever on dozens of packages. |
|
The babel team has also stated that they'd fork v6 to fix the issue. babel/babel#15720 (comment) |
No description provided.