deps(core): semver@7.5.2->7.5.4

trufflesuite / truffle

:warning: The Truffle Suite is being sunset. For information on ongoing support, migration options and FAQs, visit the Consensys blog. Thank you for all the support over the years.

https://consensys.io/blog/consensys-announces-the-sunset-of-truffle-and-ganache-and-new-hardhat?utm_source=github&utm_medium=referral&utm_campaign=2023_Sep_truffle-sunset-2023_announcement_

MIT License

14.03k stars 2.32k forks source link

deps(core): semver@7.5.2->7.5.4 #6177

Closed legobeat closed 1 year ago

legobeat commented 1 year ago

PR description

bump direct dependency semver to latest 7.5.4.
bump direct dependency @types/semver to latest 7.5.1.
- add assertion for type update
dedupe semver to address ReDoS in transitive deps.
dedupe @types/semver

Note that this does not completely remove all dependencies on broken versions of semver. It's still being pulled in via nx and [ethereumjs-block,ethereumjs-vm] > merkle-patricia-tree > levelup@1.

Testing instructions

Documentation

[x] I thought about documentation and added the doc-change-required label to this PR if documentation updates are required.

Breaking changes and new features

[x] I have added any needed breaking-change and new-feature labels for the appropriate packages.

legobeat commented 1 year ago

Maintainers: This PR still keeps the version pinned to conform with existing approach but I'd like to propose changing to caret range ^7.5.4 for direct dependencies on semver to reduce further churn for you and downstreams for any future bugfixes.

gnidan commented 1 year ago

Maintainers: This PR still keeps the version pinned to conform with existing approach but I'd like to propose changing to caret range ^7.5.4 for direct dependencies on semver to reduce further churn for you and downstreams for any future bugfixes.

I don't think we pin semver for any particular reason, so we can probably just switch it to caret. I'll check the history to confirm next week, to see if we pinned it on purpose at some point.

haltman-at commented 1 year ago

Also, I just looked through the history and it looks to me like it just got pinned mistakenly as part of #5309 and none of us noticed. I don't see any particular reason it got pinned. I'm OK with this being merged in its current form, but I agree it would be preferable for them to be unpinned.

legobeat commented 1 year ago

Also, I just looked through the history and it looks to me like it just got pinned mistakenly as part of #5309 and none of us noticed. I don't see any particular reason it got pinned. I'm OK with this being merged in its current form, but I agree it would be preferable for them to be unpinned.

@haltman-at Got it, I unrestricted it in 5f91fce170bfcda80a7de87cf3e8e73610388750