XhmikosR
commented
5 years ago @papandreou: these are fixed upstream. Can you update the packages and release a new version?
Open papandreou opened 6 years ago
XhmikosR
commented
5 years ago @papandreou: these are fixed upstream. Can you update the packages and release a new version?
XhmikosR
commented
5 years ago BTW please don't lock down the versions. If a patch release is made, you need to release a new version yourself too, which is bad. Just use a semver operator that fits your needs.
papandreou
commented
5 years ago Thanks for the heads up! I've been through all of them now, released new versions of the wrappers I maintain, and updated assetgraph-builder to them.
There are still some dependencies on the old versions via the express-processimage dependency. I expect that to be sorted out shortly.
XhmikosR
commented
5 years ago Thnaks! I think you missed a few deps from adding a sevmver operator like assetgraph.
Waiting for the express-processimage fixes :)
papandreou
commented
5 years ago I think you missed a few deps from adding a sevmver operator like
assetgraph.
Yeah, that is intentional. The two projects are intimately connected, and whenever we make radical changes to assetgraph (such as replacing the JavaScript parser in yesterday's minor release), there's often breakage in the assetgraph-builder test suite. It's stuff that doesn't matter externally (or we'd make a major version bump), but I've come to prefer to do the updates in a handheld way.
Waiting for the express-processimage fixes :)
It seems like the project is in a bit of a bad state due to some recent changes to streams in node 10, but we'll get it sorted out.
papandreou
commented
5 years ago Sorted out the express-processimage situation now and released 6.9.1. We're down only low and moderate ones now:
found 12 vulnerabilities (6 low, 6 moderate)
Getting a clean sheet from
npm auditis presently blocked by:bin-wrapper@^3.0.0, which triggers https://nodesecurity.io/advisories/598