Closed stof closed 4 years ago
@stof published 3.1.1
please let me know if this is sufficient
Well, this will be sufficient for now. But given you still use exact versions in your dependencies, this assumes that you redo the same work on a regular basis.
I take it that your issue was prompted by a security advisory on a transitive dependency of postcss? I think de-duplicating your lock file is a sisyphean task.
Unfortunately this project has a sensitive dependency on source-maps. I have found that patch version bumps can break the project. I would prefer to keep the process a controlled one, even if it means updates are not immediate.
I'm currently working on consolidating the automated e2e tests. Hopefully that will make it quicker/easier to bump dependencies.
Due to using an exact version for the dependencies, an old version is installed (which means that 2 different versions of postcss ends up in the project). The constraint should either be updated regularly or use a caret constraint.