Skip to content

deps: update old transitive deps #11811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 14, 2020
Merged

deps: update old transitive deps #11811

merged 3 commits into from
Dec 14, 2020

Conversation

brendankenny
Copy link
Contributor

@brendankenny brendankenny commented Dec 10, 2020
edited
Loading

Try to silent any automated security complaints before the new release. Also I like deleting unneeded dependencies.

All of these were transitive deps.

  • json-ld's dep of a dep is technically a dependency, not a devDependency, but it looks like maybe CLI only? w/e

  • isomorphic-fetch's node-fetch needed to be updated, but since in node isomorphic-fetch literally just calls node-fetch (adding a default https we don't need anywhere), and we don't need the "isomorphic" part (since we would be running in Chrome which has fetch), easy to cut out the middle library and use node-fetch directly. (edit: also isomorphic-fetch had a 3.0.0 release but there's no release info and tracking down what changed seemed like too much work :)

  • the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

@brendankenny brendankenny requested a review from a team as a code owner December 10, 2020 23:24
@brendankenny brendankenny requested review from connorjclark and removed request for a team December 10, 2020 23:24
@google-cla google-cla bot added the cla: yes label Dec 10, 2020
@patrickhulce
Copy link
Collaborator

the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

Should we just exclude these from our npm bundle?

@brendankenny
Copy link
Contributor Author

the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

Should we just exclude these from our npm bundle?

I guess they are excluded...at least they won't be in a pristine checkout. "automated tools are picking them up" may actually just be automated tool singular. Dependabot checking yarn.lock files in repos :)

@paulirish
Copy link
Member

just curious.. how do you determine/make changes like 3589b87 and 488bea1 ?

@brendankenny
Copy link
Contributor Author

just curious.. how do you determine/make changes like 3589b87 and 488bea1 ?

A mixture of yarn why dep and manually traversing the yarn.lock tree for the dependency with a vulnerability, deleting blocks, and seeing what yarn will regenerate.

Which sounds terrible and probably is but you get pretty fast at it, I guess :)

@devtools-bot devtools-bot merged commit a589db5 into master Dec 14, 2020
@devtools-bot devtools-bot deleted the otherdeps branch December 14, 2020 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrickhulce patrickhulce patrickhulce approved these changes

@connorjclark connorjclark Awaiting requested review from connorjclark

Assignees

@connorjclark connorjclark

Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@brendankenny @patrickhulce @paulirish @connorjclark @devtools-bot