Closed s100 closed 1 month ago
Is there a reason for this pin?
We pin versions to what is tested and working.
As you can see from https://github.com/IBM/cloudant-node-sdk/pull/1539 and https://github.com/IBM/node-sdk-core/issues/276 if we didn't have that pin then anyone installing today would have been broken by the 4.3.2
version of the core.
so that this fix (and any potential future fixes) are automatically picked up and available to your own downstream consumers
We update dependencies as soon as they are available (and working) and release new versions ~monthly with those updates.
BTW if https://github.com/IBM/node-sdk-core/issues/174 was particularly concerning you because of the micromatch
and braces
CVE reports then see this comment: https://github.com/IBM/cloudant-node-sdk/issues/1523#issuecomment-2124726708
fwiw I just released https://github.com/IBM/cloudant-node-sdk/releases/tag/v0.9.2 with core 4.3.3 that should fix this.
We use
@ibm-cloud/cloudant
which usesibm-cloud-sdk-core
.ibm-cloud-sdk-core
had this issue in it, which was affecting us. We requested a fix, and the issue has now been fixed inibm-cloud-sdk-core@4.3.2
.However, we are unable to pick this fix up because you are still pinned to
ibm-cloud-sdk-core@4.3.1
:https://github.com/IBM/cloudant-node-sdk/blob/52bce378fe578977bc9fb25bc912a10e5914e958/package.json#L40
Is there a reason for this pin? I would like to request that you unpin this, say
"^4.3.1"
, so that this fix (and any potential future fixes) are automatically picked up and available to your own downstream consumers. Thank you. (I recommend not just upgrading to"4.3.2"
specifically, because we'd just have to have this whole discussion all over again next time a new patch ofibm-cloud-sdk-core
appears.)