dependabot[bot]
commented
1 year ago Sorry, only users with push access can use that command.
Closed dependabot[bot] closed 1 year ago
dependabot[bot]
commented
1 year ago Sorry, only users with push access can use that command.
anton-x-t
commented
1 year ago @shakyShane Thank you for your earlier work with this repository Shane!! Can you please approve this pull request? :)
thejamescollins
commented
1 year ago This PR should fix #2009
anton-x-t
commented
1 year ago Thank you guys for earlier work. Can someone of you approve this PR? :) @emgeee @PaulKinlan @brutaldev @shakyShane
PauloKoglin
commented
1 year ago Please, can somebody with write access approve this PR? :)
anton-x-t
commented
1 year ago @shakyShane Can you please approve this pull request? You seem to be the only one with write access.
shakyShane
commented
1 year ago on it
lachieh
commented
1 year ago @anton-x-t it is super unprofessional and incredibly disrespectful to spam everyone who has ever contributed to the project. Especially since only the project maintainers can actually merge the change. You've effectively blasted ~100 people for absolutely no reason.
Second to that, this vulnerability only affects projects that are actually hosted, and browser-sync is a development tool. NPM's audit tools are designed for hosted, publicly accessible node projects and no one should be using browser-sync in that way.
anton-x-t
commented
1 year ago @shakyShane Thank you very much for approving and merging! Appreciate it!! And I think many developers will appreciate this without knowing. Thanks a bunch!!
shakyShane
commented
1 year ago Yeah dependabot can cause these types of issues - I'm pretty sure 99% of the 'security vulnerabilities' that I've fixed are not actually vulnerabilities for any Browsersync uses (as @lachieh alludes to above)
Regardless, I am the sole maintainer with write access and this project is used widely, so I should be on top of these things.
In the future, to prevent blasting notifications to everyone here, you can always just reach out on twitter instead 💪🏻
anton-x-t
commented
1 year ago Thank you for explaining! @shakyShane
anton-x-t
commented
1 year ago I'm sorry @lachieh
citkane
commented
1 year ago Thanks @shakyShane for your work, which is best in its class (IMHO).
@lachieh , you are correct that browser-sync is a development tool. Development tools however can, and do, carry downstream. In my case, I am launching a new Open Source product, and the first thing new users would experience is a security alert. Most people will not spend the time to evaluate the philosophy of security frameworks and understand this specific context - they will just ditch the product on the matter of failure to trust. This, for many use cases, becomes a user experience issue, and this really, really matters.
I worked around the matter by writing a NPM publish script which strips out all dev dependencies (which includes browser-sync) from package.json. It is effective, but just another extra step to maintain and break into the future.
shakyShane
commented
1 year ago Thanks @citkane - that's a valuable perspective that I will consider more going forward :)
Bumps ua-parser-js from 1.0.2 to 1.0.33.
Changelog
Sourced from ua-parser-js's changelog.
Commits
67005e3Update patch version to 1.0.33 as a mirror of 0.7.33f2d0db0Bump version 0.7.33a6140a1Remove unsafe regex in trim() functiona886604Fix #605 - Identify Macintosh as Apple deviceb814bcdMerge pull request #606 from rileyjshaw/patch-17f71024Fix documentationc239ac5Merge pull request #604 from obecerra3/master8d3c2d3Add new browser: Cobalta2b2e80Update patch version to 1.0.32 as a mirror of 0.7.32d11fc47Bump version 0.7.32Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BrowserSync/browser-sync/network/alerts).