sindresorhus
commented
2 years ago I'm not willing to support v10, but I'm willing to merge fixes for critical security issues for v11 (last pre-ESM version).
Closed nmccready closed 2 years ago
sindresorhus
commented
2 years ago I'm not willing to support v10, but I'm willing to merge fixes for critical security issues for v11 (last pre-ESM version).
sindresorhus
commented
2 years ago For some libraries it's not worth the extra effort at this point to force an update of 100% ES modules.
Being able to update dependencies is a good reason.
nmccready
commented
2 years ago Will do 11 sounds great thank you!
nmccready
commented
2 years ago @sindresorhus I have a PR ready to be submitted but I need a target branch of 11.X or similar on this repo.
nmccready
commented
2 years ago sindresorhus
commented
2 years ago That is not a critical security issue. It's marked as medium (and in reality it's low).
sindresorhus
commented
2 years ago I recommend reading https://overreacted.io/npm-audit-broken-by-design/
nmccready
commented
2 years ago While agree with all of these sentiments and I have read about npm audit already; this is being flagged by higher level auditing systems at the corporate level like whitesource .
From companies standpoint it has to be fixed .
sindresorhus
commented
2 years ago
Sindre would you consider supporting a 10.X branch to deal with security updates. I would happily submit PRS for them to be published by the original fork. For some libraries it's not worth the extra effort at this point to force an update of 100% ES modules.