Skip to content

deps: update old transitive deps#11811

Merged
devtools-bot merged 3 commits intomasterfrom
otherdeps
Dec 14, 2020
Merged

deps: update old transitive deps#11811
devtools-bot merged 3 commits intomasterfrom
otherdeps

Conversation

@brendankenny
Copy link
Contributor

@brendankenny brendankenny commented Dec 10, 2020
edited
Loading

Try to silent any automated security complaints before the new release. Also I like deleting unneeded dependencies.

All of these were transitive deps.

  • json-ld's dep of a dep is technically a dependency, not a devDependency, but it looks like maybe CLI only? w/e

  • isomorphic-fetch's node-fetch needed to be updated, but since in node isomorphic-fetch literally just calls node-fetch (adding a default https we don't need anywhere), and we don't need the "isomorphic" part (since we would be running in Chrome which has fetch), easy to cut out the middle library and use node-fetch directly. (edit: also isomorphic-fetch had a 3.0.0 release but there's no release info and tracking down what changed seemed like too much work :)

  • the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

@brendankenny brendankenny requested a review from a team as a code owner December 10, 2020 23:24
@brendankenny brendankenny requested review from connorjclark and removed request for a team December 10, 2020 23:24
@google-cla google-cla bot added the cla: yes label Dec 10, 2020
@patrickhulce
Copy link
Collaborator

patrickhulce commented Dec 11, 2020

the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

Should we just exclude these from our npm bundle?

@brendankenny
Copy link
Contributor Author

brendankenny commented Dec 11, 2020

the deps in legacy-javascript/yarn.lock are a complete stretch as a problem, but given that automated tools are picking them up, and the version bumps are super tiny, it seemed worth it for now

Should we just exclude these from our npm bundle?

I guess they are excluded...at least they won't be in a pristine checkout. "automated tools are picking them up" may actually just be automated tool singular. Dependabot checking yarn.lock files in repos :)

@paulirish
Copy link
Member

paulirish commented Dec 14, 2020

just curious.. how do you determine/make changes like 3589b87 and 488bea1 ?

@brendankenny
Copy link
Contributor Author

brendankenny commented Dec 14, 2020

just curious.. how do you determine/make changes like 3589b87 and 488bea1 ?

A mixture of yarn why dep and manually traversing the yarn.lock tree for the dependency with a vulnerability, deleting blocks, and seeing what yarn will regenerate.

Which sounds terrible and probably is but you get pretty fast at it, I guess :)

@devtools-bot devtools-bot merged commit a589db5 into master Dec 14, 2020
@devtools-bot devtools-bot deleted the otherdeps branch December 14, 2020 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorjclark connorjclark Awaiting requested review from connorjclark

1 more reviewer

@patrickhulce patrickhulce patrickhulce approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@connorjclark connorjclark

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@brendankenny @patrickhulce @paulirish @connorjclark @devtools-bot