Open matuzalemsteles opened 2 years ago
tmpl
ws
y18n
path-parse
browserslist
lodash
@matuzalemsteles
I verified the changes in these dependencies and the only problem I see is that the "react-docgen" directory is something we add manually to the repository. Last time we updated it, was here.
This seems like a manual process so I'm not sure what we want to do about these dependabot alerts. W e could speak about it during our next meeting (on Thursday 12/2) to see if it sill makes sense keeping this "clayui.com" directory in the repository or moving it to somewhere else - if we keep on using something like this we're likely to get dependabot alerts once in a while, so we should decide to have an official way of closing them. (We can also disable dependabot)
Hey @julien, yeah we keep it local due to a bug we had to fix locally I don't remember why this fix wasn't sent to react-docgen
hoping to get into master but anyway i think we can disregard the dependabot alerts for react-docgen
by not affect the components or the user on clayui.com
Usually, we will try to follow the policy that was created and keep this issue open to decide what to do with the alerts that appear, ideally it would be interesting to keep dependabot on despite being quite annoying at times, but at least in our repository it seems to be rare.
About react-docgen
, ideally we want to remove this for some other #4130.
@matuzalemsteles thanks for the clarification. Let's see if we get time to prioritize work on #4130, For the moment I think we can safely ignore this.
url-parse
ajv
Hey @julien I'm closing the PRs and adding the reference here so that we can track them.
@matuzalemsteles OK
@matuzalemsteles adding these
prismjs
url-parse
ansi-regex
minimist
moment
gatsby-plugin-mdx
devcert
parse-url
moment
parse-url
socket.io-parser
minimatch
decode-uri-component
decode-uri-component
bump
express
qs
gatsby-transformer-remark
json5
I should update this next week.
json5
http-cache-semantics
webpack
@sideway/formula
nunjucks
Well, apparently we've started getting PRs from dependabot, as we have a policy of not merging these PRs but looking more carefully at the dependencies and checking if it makes sense and instead of manipulating
yarn.lock
to update the root dependency.This issue has the same effect as the issue that was created in the project https://github.com/liferay/liferay-frontend-projects/issues/112.