Closed wbt closed 2 years ago
This pull request doesn’t change much. "^2.6.1"
means >= 2.6.1 && < 3
, so version 2.6.7 is installed anyways.
The mentioned patch, https://github.com/MetaMask/web3-provider-engine/pull/404, is different because here the version number isn’t prefixed by a caret (^
).
It seems an important change: ensuring 2.6.7
as the minimum version for node-fetch as it's a security patch release. Thanks @wbt
It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release.
Good point. You're right and I was wrong.
Curious: Why does the package.json has a caret in the version number, when the one here in this repo does not? Is there another release of cross-fetch
that allows updates to the dependencies?
Using a caret has its pros and cons. I feel there's no clear answer but here's a few insights: https://github.com/lquixada/cross-fetch/issues/129#issuecomment-1094466835.
Thanks for the update, @lquixada. I had missed that #132 had been merged. Sorry for the noise.
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. https://github.com/MetaMask/web3-provider-engine/pull/404