search

dividab / tsconfig-paths

Load node modules according to tsconfig paths, in run-time or via API.
MIT License
1.8k stars 100 forks source link

Update json5 to 2.2.x #198

Closed stianjensen closed 2 years ago

stianjensen commented 2 years ago

The new version bundles typescript types.

airarrazaval commented 2 years ago

json5@2.2.0 has a vulnerability inherited by one of its dependencies (minimist).

https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795

This must be updated to json5@2.2.1 which removes minimist as dependency. Also update to minimist@1.2.6 which solves this vulnerability si required (see PR https://github.com/dividab/tsconfig-paths/pull/197)

stianjensen commented 2 years ago

Updated

jonaskello commented 2 years ago

Upgrade of json5 from 1.x to 2.x was previously attempted in #158 and then reverted in #173. I'm not sure if we can upgrade to 2.x.

stianjensen commented 2 years ago

Ah! Node 4 has been unsupported for 4 years, so I didn't realize that was still breaking. I guess whenever you're shipping a new major version, then.

jonaskello commented 2 years ago

Let's merge this now when we are doing a new major.

F3n67u commented 2 years ago

This breaking change will potentially block https://github.com/import-js/eslint-plugin-import and https://github.com/alexgorbatchev/eslint-import-resolver-typescript to upgrade to 4..0.0 as far as I know. Those package's minimum nodejs version is v4.

stianjensen commented 2 years ago

This breaking change will potentially block https://github.com/import-js/eslint-plugin-import and https://github.com/alexgorbatchev/eslint-import-resolver-typescript to upgrade to 4..0.0 as far as I know. Those package's minimum nodejs version is v4.

Node 4 has been unsupported for 4(!) years now, so I really hope no one is still using that in production and are also depending on new versions of those packages still supporting it.

eslint itself doesn't support anything below 12 as of version 8, and anyone on old eslint version can also continue using old versions of eslint-plugin-import if they have to.

F3n67u commented 2 years ago

This breaking change will potentially block https://github.com/import-js/eslint-plugin-import and https://github.com/alexgorbatchev/eslint-import-resolver-typescript to upgrade to 4..0.0 as far as I know. Those package's minimum nodejs version is v4.

Node 4 has been unsupported for 4(!) years now, so I really hope no one is still using that in production and are also depending on new versions of those packages still supporting it.

eslint itself doesn't support anything below 12 as of version 8, and anyone on old eslint version can also continue using old versions of eslint-plugin-import if they have to.

I agree with you. I make draft pr to bump tsconfig-paths version to v4 on https://github.com/import-js/eslint-plugin-import/pull/2447 and https://github.com/alexgorbatchev/eslint-import-resolver-typescript/pull/104 to collect some feedback.

ljharb commented 2 years ago

@stianjensen being unsupported is irrelevant; eslint-plugin-import supports down to eslint 2 (and associated node version) and will continue to do so.