Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump minimatch from 3.0.4 to 3.1.2 #180

Merged
merged 1 commit into from
Nov 1, 2022
Merged

Bump minimatch from 3.0.4 to 3.1.2 #180

merged 1 commit into from
Nov 1, 2022

Conversation

kachkaev
Copy link
Contributor

Closes #179

@kachkaev kachkaev mentioned this pull request Oct 21, 2022
Closed
@kachkaev kachkaev changed the title Update minimatch from 3.0.4 to 3.1.2 Bump minimatch from 3.0.4 to 3.1.2 Oct 21, 2022
@aloisklink
Copy link

This also closes #165

Maintainers, is it possible to instead use caret ranges, e.g. ^3.1.2 instead of pinning dependencies?

That way, if there is a security vulnerability in this package (or in serve), you guys don't need to manually update this package.

@kachkaev
Copy link
Contributor Author

kachkaev commented Oct 25, 2022
edited
Loading

As far as I understand, Vercel folks prefer pinning dependencies in their products. Here is Next.js, for example:
package.json#L76-L83 (caniuse-lite is an exception because it tracks recent browser releases).

This way they save their users from accidental upstream breaking changes within a semver range. Not sure this approach can be revisited easily, so I doubt we’ll be able to introduce ^ or ~ in this PR 😅

@imki123
Copy link

imki123 commented Oct 26, 2022

I need to merge this PR.

@bnussman
Copy link

@vercel, can you give this PR some attention? 🥺

@bnussman-akamai bnussman-akamai mentioned this pull request Oct 27, 2022
Merged
AndyBitz
AndyBitz approved these changes Nov 1, 2022
View reviewed changes
Copy link
Contributor

@AndyBitz AndyBitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening the issue and providing a PR 🥇

@AndyBitz AndyBitz merged commit 1ea1a9c into vercel:master Nov 1, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@bnussman bnussman bnussman approved these changes

@AndyBitz AndyBitz AndyBitz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability in minimatch 3.0.4
5 participants
@kachkaev @aloisklink @imki123 @bnussman @AndyBitz