Use version ranges in dependencies?

conventional-changelog / standard-version

:trophy: Automate versioning and CHANGELOG generation, with semver.org and conventionalcommits.org

ISC License

7.66k stars 792 forks source link

Use version ranges in dependencies? #590

Open DullReferenceException opened 4 years ago

DullReferenceException commented 4 years ago

I notice that the dependencies for standard-version are all fixed (no ^ or ~ for example). This makes it impossible to get the version bump in conventional-changelog, which fixes a CVE.

Could the standard-version dependencies be updated to use something like ^ so that upgrades and de-duplication of transitive dependencies is possible? If you object to this approach, could we at least get a new release of standard-version with conventional-changelog version bumped?

jbottigliero commented 4 years ago

We've moved to allow semver ranges on a number of dependencies via #615 – we'll be working to unpin more as we phase our support of NodeJS@8 (#612, #618).

8.0.1 was published ~6 hours ago which includes updates to conventional-changelog (#592).