Skip to content

Bump minimatch from 3.0.4 to 3.1.2#180

Merged
AndyBitz merged 1 commit intovercel:masterfrom
kachkaev:bump-minimatch
Nov 1, 2022
Merged

Bump minimatch from 3.0.4 to 3.1.2#180
AndyBitz merged 1 commit intovercel:masterfrom
kachkaev:bump-minimatch

Conversation

@kachkaev
Copy link
Contributor

@kachkaev kachkaev commented Oct 21, 2022

Closes #179

@kachkaev kachkaev mentioned this pull request Oct 21, 2022
Closed
@kachkaev kachkaev changed the title Update minimatch from 3.0.4 to 3.1.2 Bump minimatch from 3.0.4 to 3.1.2 Oct 21, 2022
@aloisklink
Copy link

aloisklink commented Oct 24, 2022

This also closes #165

Maintainers, is it possible to instead use caret ranges, e.g. ^3.1.2 instead of pinning dependencies?

That way, if there is a security vulnerability in this package (or in serve), you guys don't need to manually update this package.

@kachkaev
Copy link
Contributor Author

kachkaev commented Oct 25, 2022
edited
Loading

As far as I understand, Vercel folks prefer pinning dependencies in their products. Here is Next.js, for example:
package.json#L76-L83 (caniuse-lite is an exception because it tracks recent browser releases).

This way they save their users from accidental upstream breaking changes within a semver range. Not sure this approach can be revisited easily, so I doubt we’ll be able to introduce ^ or ~ in this PR 😅

@imki123
Copy link

imki123 commented Oct 26, 2022

I need to merge this PR.

@bnussman
Copy link

bnussman commented Oct 27, 2022

@vercel, can you give this PR some attention? 🥺

@bnussman-akamai bnussman-akamai mentioned this pull request Oct 27, 2022
Merged
AndyBitz
AndyBitz approved these changes Nov 1, 2022
View reviewed changes
Copy link
Contributor

@AndyBitz AndyBitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening the issue and providing a PR 🥇

@AndyBitz AndyBitz merged commit 1ea1a9c into vercel:master Nov 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyBitz AndyBitz AndyBitz approved these changes

+1 more reviewer

@bnussman bnussman bnussman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerability in minimatch 3.0.4

5 participants

@kachkaev @aloisklink @imki123 @bnussman @AndyBitz