Closed bendog closed 4 years ago
lilfolr
commented
4 years ago No. yarn.lock ensures the developers who work on this package are running the exact same dependencies. You running different minor versions to me is a recipe for disaster imo (especially in JS). Dependabot is complaining because we're using old, vulnerable libraries - the fix is updating, not ignoring 🙂
bendog
commented
4 years ago Seems legit. Should the package.json be updated with these version bumps too?
lilfolr
commented
4 years ago We probably should to keep things clean, but its not required for the version bumps.
In general you would only upgrade package.json, and let yarn sort out yarn.lock.
I don't think dependabot changed package.json because our package.json uses the ^ which allows for upgrading minor & patch versions - eg.
See here
bendog
commented
4 years ago Yes, but should we be bumping the minimums versions?
lilfolr
commented
4 years ago Yeah, nothing wrong with staying up to date
Since this is a package, should we just remove the yarn.lock file? In python world this wouldn't be included in a package codebase, and it only seems to get dependabot upset.