Unpin `ibm-cloud-sdk-core`

[s100]

We use @ibm-cloud/cloudant which uses ibm-cloud-sdk-core. ibm-cloud-sdk-core had this issue in it, which was affecting us. We requested a fix, and the issue has now been fixed in ibm-cloud-sdk-core@4.3.2.

However, we are unable to pick this fix up because you are still pinned to ibm-cloud-sdk-core@4.3.1:

https://github.com/IBM/cloudant-node-sdk/blob/52bce378fe578977bc9fb25bc912a10e5914e958/package.json#L40

Is there a reason for this pin? I would like to request that you unpin this, say "^4.3.1", so that this fix (and any potential future fixes) are automatically picked up and available to your own downstream consumers. Thank you. (I recommend not just upgrading to "4.3.2" specifically, because we'd just have to have this whole discussion all over again next time a new patch of ibm-cloud-sdk-core appears.)

[ricellis]

Is there a reason for this pin?

We pin versions to what is tested and working.

As you can see from https://github.com/IBM/cloudant-node-sdk/pull/1539 and https://github.com/IBM/node-sdk-core/issues/276 if we didn't have that pin then anyone installing today would have been broken by the 4.3.2 version of the core.

so that this fix (and any potential future fixes) are automatically picked up and available to your own downstream consumers

We update dependencies as soon as they are available (and working) and release new versions ~monthly with those updates.

[ricellis]

BTW if https://github.com/IBM/node-sdk-core/issues/174 was particularly concerning you because of the micromatch and braces CVE reports then see this comment: https://github.com/IBM/cloudant-node-sdk/issues/1523#issuecomment-2124726708

[eiri]

fwiw I just released https://github.com/IBM/cloudant-node-sdk/releases/tag/v0.9.2 with core 4.3.3 that should fix this.