wooorm
commented
4 years ago Hi Karl! 👋
We have Prism as a dep for its core. Basically hidden internals. Loosening the range will cause stuff to break. I find preventing everything from exploding more important than older dependencies. Refractor also has a track record of updating fast after Prism updates, and if you use refractor itself with a loose range, you’ll also get Prism updates.
The security vulnerability did not affect anyone using refractor, as we don’t support plugins. If there is an issue, it’s with Dependabot falsely claiming there was one 🤷♂️
karlhorky
Hi @wooorm !
Maybe going forward, you would consider changing to a carat version range for
prismjs?It would help a lot for projects stuck with older dependencies which have
refractoras a transitive dep (especially when things like security vulnerabilities withprismjshappen).Anyway, thanks for the consideration!