Closed naugtur closed 2 years ago
@lirantal Before I merge this, can you confirm it's ok to stop supporting node.js version 8? I think it's been dead long enough, but maybe there's reasons?
A few observations here:
debug
only with lockfile-lint-api
?1. Are we replacing `debug` only with `lockfile-lint-api` ?
Yes, the CLI has a lot of other dependencies and for now I'm focusing on narrowing down lockfile-lint-api to a minimal scope of outside requirements to make it super easy to tightly secure with lavamoat policy or even run in a compartment with lockdown.
2. There are uses of debug [here](https://github.com/lirantal/lockfile-lint/blob/7aa0b3d635292718331e6d08f39a89265e6b5109/packages/lockfile-lint/src/validators/index.js#L21-L24) and [packages/lockfile-lint/src/main.js](https://github.com/lirantal/lockfile-lint/blob/7aa0b3d635292718331e6d08f39a89265e6b5109/packages/lockfile-lint/src/main.js) too
Yes, just api for now. Debug is a good thing and the package that uses TTY anyway does not need to be rid of it. I might pursue removing dependencies and builtin use from the CLI later, but that's outside the scope I was ready to tackle now.
3. We should publish a new major version for any breaking changes like dropping 8.x (which I'm ok to do, just want to make sure we're not breaking any dependents)
Yes, it'd be the second breaking change I merge, so the major version is definitely going up.
I just wanted to make sure there's not a known usecase for node 8.x support.
All sounds good to me :-)
Just getting rid of a dependency that, while barely used, pulls in a bunch of requirements. Here's an overview:
This is also contributing to the progress on #123 by getting rid of tty and process requirements
BREAKING:
bumped engine to v10 to remove all
const {URL} = require('url')
I saw semantic-release is used, so this may need to be split into two conventional commits