Closed wbt closed 2 years ago
janaagaard75
commented
2 years ago This pull request doesn’t change much. "^2.6.1" means >= 2.6.1 && < 3, so version 2.6.7 is installed anyways.
The mentioned patch, https://github.com/MetaMask/web3-provider-engine/pull/404, is different because here the version number isn’t prefixed by a caret (^).
lquixada
commented
2 years ago It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release. Thanks @wbt
janaagaard75
commented
2 years ago It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release.
Good point. You're right and I was wrong.
janaagaard75
commented
2 years ago Curious: Why does the package.json has a caret in the version number, when the one here in this repo does not? Is there another release of cross-fetch that allows updates to the dependencies?
lquixada
commented
2 years ago Using a caret has its pros and cons. I feel there's no clear answer but here's a few insights: https://github.com/lquixada/cross-fetch/issues/129#issuecomment-1094466835.
janaagaard75
commented
2 years ago Thanks for the update, @lquixada. I had missed that #132 had been merged. Sorry for the noise.
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. https://github.com/MetaMask/web3-provider-engine/pull/404