icco
commented
2 years ago Whelp, tests fail. I'm gonna leave this for someone at LD.
Closed icco closed 2 years ago
icco
commented
2 years ago Whelp, tests fail. I'm gonna leave this for someone at LD.
eli-darkly
commented
2 years ago Updating to a higher major version of js-sdk-common is not going to work; the reason it has a different major version is that it is not a backward-compatible API— the higher version is used by other LD packages that do not have the same requirements as js-client-sdk. (It's also not desirable to replace that exact version dependency with a loose one; it is pinned for a reason, because we want to ensure that all bugfix releases are correlated with a specific js-client-sdk release.)
Anyway, we do want to address any vulnerabilities that exist, and if you have information about that then please share it with us. We haven't seen whatever report you have seen. We should probably update at least escape-string-regexp on general principle, but I don't know that we would necessarily want to bump it to 5.0.0; their release notes indicate that the purpose of that release was to change the dependency mechanism.
eli-darkly
commented
2 years ago Btw, we are already working on updating rollup.
Requirements
Related issues
N/A
Describe the solution you've provided
This is using outdated dependencies. Upgrades to the latest LD common lib and regex lib.
Describe alternatives you've considered
Some underlying packages in this old version of the common lib have security vulns, so they need to be updated.
I debated upgrading your build pipeline packages, but they seemed too fragile, so gave up.
Additional context
Add any other context about the pull request here.