Skip to content

Bump dependencies to fix vulnerabilities#14697

Merged
RobinMalfait merged 9 commits intomainfrom
fix/issue-14696
Oct 17, 2024
Merged

Bump dependencies to fix vulnerabilities#14697
RobinMalfait merged 9 commits intomainfrom
fix/issue-14696

Conversation

@RobinMalfait
Copy link
Member

@RobinMalfait RobinMalfait commented Oct 17, 2024

This PR fixes some package vulnerabilities that you will see when running npm install. This PR fixes that by bumping dependencies to get rid of the vulnerabilities.

@RobinMalfait
npm audit fix
5689575
@RobinMalfait
bump dependencies
75c37eb 
Most of them were already installed because of the `^` in the version.
But this commit syncs the `package.json` file with those versions.

This does not bump dependencies to major versions.
@RobinMalfait
update changelog
9b4e0e0
@RobinMalfait RobinMalfait marked this pull request as draft October 17, 2024 10:04
thecrypticace
thecrypticace suggested changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@thecrypticace thecrypticace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to npm install in standalone-cli too to update its lockfile.

@RobinMalfait RobinMalfait marked this pull request as ready for review October 17, 2024 10:33
@RobinMalfait RobinMalfait changed the title Bump dependecies to fix vulnerabilities Bump dependencies to fix vulnerabilities Oct 17, 2024
@RobinMalfait RobinMalfait enabled auto-merge (squash) October 17, 2024 10:37
@RobinMalfait RobinMalfait merged commit c8c3a22 into main Oct 17, 2024
@RobinMalfait RobinMalfait deleted the fix/issue-14696 branch October 17, 2024 10:41
philipp-spiess
philipp-spiess reviewed Oct 17, 2024
View reviewed changes
CHANGELOG.md
- Nothing yet!
### Fixed

- Bump dependencies to fix vulnerabilities ([#14697](https://github.com/tailwindlabs/tailwindcss/pull/14697))
Copy link
Contributor

@philipp-spiess philipp-spiess Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we end up bundling vulnerable code here? "Fix vulnerabilities" makes it sound like we had a vulnerability in Tailwind CSS which might be a bit too alarming.

In the past we used the wording "Bump versions for security vulnerabilities" which gave it a more passive sound. WDYT?

@RobinMalfait RobinMalfait mentioned this pull request Oct 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@philipp-spiess philipp-spiess philipp-spiess left review comments

@thecrypticace thecrypticace thecrypticace approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RobinMalfait @philipp-spiess @thecrypticace