bholloway
commented
4 years ago @stof published 3.1.1 please let me know if this is sufficient
Closed stof closed 4 years ago
bholloway
commented
4 years ago @stof published 3.1.1 please let me know if this is sufficient
stof
commented
4 years ago Well, this will be sufficient for now. But given you still use exact versions in your dependencies, this assumes that you redo the same work on a regular basis.
bholloway
commented
4 years ago I take it that your issue was prompted by a security advisory on a transitive dependency of postcss? I think de-duplicating your lock file is a sisyphean task.
Unfortunately this project has a sensitive dependency on source-maps. I have found that patch version bumps can break the project. I would prefer to keep the process a controlled one, even if it means updates are not immediate.
I'm currently working on consolidating the automated e2e tests. Hopefully that will make it quicker/easier to bump dependencies.
Due to using an exact version for the dependencies, an old version is installed (which means that 2 different versions of postcss ends up in the project). The constraint should either be updated regularly or use a caret constraint.