search

next-theme / utils

Utilities for NexT.
https://www.npmjs.com/package/@next-theme/utils
GNU Lesser General Public License v3.0
0 stars 1 forks source link

Do not fix the deps version #11

Closed Mister-Hope closed 3 years ago

Mister-Hope commented 3 years ago

It's almost unpossiable for a library like lodash to make breaking changes in minor or patch versions, so why are you guys fixing the version?

If you set the version using ^ then we can fix the security problems by upgrading deps tree instead of waiting you to publish new versions and bear the security alert every day.

stevenjoezhang commented 3 years ago

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: https://github.com/theme-next/next-util/pull/2 lodash is removed in the latest version of @next-theme/utils.

Mister-Hope commented 3 years ago

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2

Appreciate for your answer, but your answer DO NOT HELP AT ALL. Your answer make me have new questions:

  1. Since there are a new repo under theme-next/next-util, is this repo deprecate and we should use next-util? If so, why don't you mention it in readme, archive this repo or mark the package deprecate on npm? Either of these three will helps, but you did nothing.

    Also I see you are still maintaining this project.

lodash is removed in the latest version of @next-theme/utils.

  1. Is it? Do you check whether you publish new version or not? The latest is still in v1.2.0 which publish 6 month ago, and the alert was triggered in May , and you merge this commit in https://github.com/next-theme/utils/commit/3161bf370419549420495066e2ab4c0417f43fd9, which in May 27. And I am still not finding any newer versions.
Mister-Hope commented 3 years ago

I just have a carefull look at the two org next-theme and theme-next.

Are they actually the same? The the utils repo seems to be the same.

Why should a project be posted on different repo on different orgs, with different package name while not published sync and metioned nothing in readme?

PaperStrike commented 3 years ago

Try digging out the answers on your own. https://github.com/next-theme/hexo-theme-next/issues/4.

Mister-Hope commented 3 years ago

Try digging out the answers on your own. next-theme/hexo-theme-next#4.

This answer is even not in this repo, I DO NOT think I should open every repo undert the 2 orgs and have a look at every issue and discusstion. I searched this repo, and I think this should be fine.

And:

  1. Both repo is still having activities, so I don't think the team can not place something on the readme
  2. Your link do help explain why there are two orgs, but it's more confusing here as the newest @next-theme/utils is not getting newer versions but the old next-utils does.

I apreciate for your help and answer, but it's still not helping with this issse. The lodash security problem is still not yet fixed.

Both of you are answering something related and do have some help explaining the issue, but no help with fixing.

This package is on my toolchain, which means I do not care how this issue happens, while I only care about when can this issue been fixed. I am opening this issue politely and provided the necessay infomation. but still yet bothering for 2 month and receiving some none help replys. That's disappointing.

( I know this is an open source, but at least we should all agree it's not good to behave like this)

Mister-Hope commented 3 years ago

I do not think this fix is hard, just call someone and publish @next-theme/utils, and it should be all fine. I really don't think this issue need to be hang for 2 month

PaperStrike commented 3 years ago

Both repo is still having activities

theme-next/next-util isn't having activities. Moreover, @theme-next hasn't got any commit for more than 1 year.

I don't think the team can not place something on the readme.

If "the team" means @next-theme, then we can. But I don't think there's a need to update every repo's readme, as one should know which to use by a simple look on the repos' recent commits.

it's more confusing here as the newest @next-theme/utils is not getting newer versions but the old next-utils does.

Where did you find the old repo getting newer versions? Only by the version number?

I do not care how this issue happens, while I only care about when can this issue been fixed.

You just asked "Are they" and "Why" in your last reply. Then my last reply links to the answer. For the "when" problem, no one knows. Few of us would like to ask for ETA.

You know this is an open source, so if there's anything making you disappointed, you always have a choice to publish your npm package. We are not forcing you to use this.

Mister-Hope commented 3 years ago

Fine, do any thing you like. I will swallow my aggressive words. But do you acutally think the first reply is helpful?

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2

What's the link for? What do he want to express

lodash is removed in the latest version of @next-theme/utils.

Is it true?

For the "when" problem, no one knows. Few of us would like to ask for ETA.

Joking. Do you leave the security issues in your work projects? ETA for security should be definitely as soon as possible..

I have a few open source projects like waline and vuepress-theme-hope

Both of them have hundreds of stars, I will surely blame myself, if I am posting some wrong answers which is not helpful in my repo issues. And I will also blame myself if I am not helping and waste others time when I could . Also I will surely fix any security problems as soon as possible.

Anyway, F word.