Closed avindra closed 6 years ago
I would recommend using ^
in the dependencies
, so that upgrades will automatically pass through, particularly because Medium has expressed that they are not interested in maintaining this package.
@kgrubb NSP is incorrect. phantomjs-prebuilt
still has to bump it's dependencies, or change the tilde to a caret to allow semver updates automatically.
PR here for the latter: https://github.com/Medium/phantomjs/pull/746
Oh duh, my apologies. I completely overlooked the package.json upgrade required for this package.
No worries. It seems that NSP needs to take into account how dependencies are resolved using semver in node land.
@kgrubb I was wrong.
Tilde means patch upgrades are allowed:
https://docs.npmjs.com/misc/semver#tilde-ranges-123-12-1
So NSP is correct, and this particular issue, is indeed fixed.
PR is made upstream for the fix
https://github.com/maxogden/extract-zip/pull/52
phantomjs
will also need to unlock the version number or bump it so that upgrades will pass through.