-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependencies #125
Update dependencies #125
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, but can you rebase your commits so they fulfill the conventional commits? For these two commits, they should be something like
chore: update dependencies
chore: automatic npm security audit <next-line> ...restOfTheCommitBody
Other than that, I think this PR is good.
I should mention this in contribute.md, but I'm still thinking what kind of test should I use to ensure the commit (commit-lint? Or a gh-action to check commit).
I suggest you can use interactive rebase to fix this: git rebase --interactive <the-sha-of-the-commit-before-your-two-commits>
. I believe in your case, it should be git rebase --interactive a034fba5c1f6c04afe06f36f29f1dc132c1f5a95
. Then, git will let you modify the git message in a file:
pick <hash> <message>
pick <hash> <message>
And you should change the message and save and quit that file. Then, you will need to git push -f
. That will override current branch on github.
BTW, would you like to do me a favor, update the got js to |
Whoooops I completely forgot about that, although it should definitely be mentioned in the contribution guide. I have now correctly rebased my changes. Even though I already knew how to do it, I greatly admire your willingness to explain for the "less informed" among us. Git can be very confusing at times, and I'm sure that I would've been very confused without your explanation, had I not known about interactive rebase beforehand. Although,
This is not correct. You have to change "pick" into "reword" (or 'r' for short) to rename the commits 😉
This reminded me to update the dependencies for individual modules too, which I have now done.
I deliberately did these rollbacks in a separate commit to make it easy to revert once "the road is clear" so to speak. |
5 security warnings required "manual intervention". It looks like they are caused by transitive dependencies from parcel & lerna
- file-type has an async API from v13 on, more changes would be necessary to update - long can't be updated to v4 because bytebuffer depends on ~3 (protobufjs/bytebuffer.js#90)
I'm curious why the And, yes, we can have another individual patch to fix the file-type and others problem. |
Don't ask me how, but I completely overlooked lerna's existence. I painfully ran install, outdated and update manually in each package, causing the package-lock's to generate. I was already a little confused why they didn't exist before...
Do you want me to ("recursively") update all Also: I just found out I forgot to update the "sub"-modules |
Actually,
Actually, I'll go over the lerna again and see what is the best practice to setup a existed lerna project. I just check that the others lerna repo does not contain package-lock in repo. It seems harmless now, but let's remove it in next patch. |
Actually, wouldn't it make more sense to make the "sub"-modules depend on `../' and move any remaining (non-transitive) dependencies to the "parent module"? This makes updating easier in the future, and IMHO makes the "proxy function" of these sub-modules more clear.
|
These internal tricky modules' dependencies should already be included in its parent. The dependencies field in it is just to hint the bundle system. I'm not sure if I understand it correctly. Do you mean the |
Is it necessary though? I feel like it could lead to issues if people (like me) forget to update dependencies.
You're absolutely right, my suggestion doesn't make sense. I feel like there should be a better way to do this though... |
Actually, wouldn't it be sufficient to move the |
I have updated all dependencies to the latest version for your convenience.
No major changes were necessary, just some postfix-operators.
There are 5 security warnings remaining (down from ~1600) that require "manual intervention". From what I can see these are caused by transitive dependencies of
parcel
andlerna
.