Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot fixes #27

Merged
merged 1 commit into from
Jan 22, 2025
Merged

Dependabot fixes #27

merged 1 commit into from
Jan 22, 2025

Conversation

ochaloup
Copy link
Contributor

My task is to lower the number of security alerts on repositories I work with.
For many of these dependable issues is trouble that we (I) cannot update the dependency directly as

a) There is currently no new version - e.g., gts is stuck at version without the support of new eslint/prettier, jest test works for last ~2 years on a new version 30.x but until released (with all backward incompatibilities) there is still two years old version 29.7.0 without updates.
b) We cannot update the version due to the backward incompatibility (e.g. solana/web3.js 1.x vs 2.x)

My consideration is to fix it by forcing the (mostly) minor updates in the pnpm lock file - on those dependencies that dependabot requires.

I will be happy to hear opinion on this way of fixing the thingy.

@ochaloup ochaloup requested a review from martinkrecek January 21, 2025 12:13
@ochaloup
[dependabot] fixes
dd90dbe 
* axios: used by @solana/spl-governance, the SDK is not updated for long
  time an there will be a new IDL based sdk that requires full
  refactoring, forcing a new version of the affected library
* @babel/traverse: used by jest/globals that is not updated for around a
  year, not sure about other way then force pnpm version
* crowss-spawn: eslint not possible to change because of gts issues of
  new linter (google/gts#830)
* ws: is used everywhere so hard say, fixed to what dependabot says
* braces, micromatch: those are used by jest (cannot update as not existing new
  version)
* semver: not sure, many versions in dependency
@ochaloup
Copy link
Contributor Author

(fixed merge issues because of wrong base branch I took on my local computer)

martinkrecek
martinkrecek approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@martinkrecek martinkrecek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach looks ok to me, I'm not aware of a more suitable strategy, considering that the mentioned Solana version blockers are present.

@ochaloup ochaloup merged commit f4b97b3 into main Jan 22, 2025
3 checks passed
@ochaloup ochaloup deleted the dependabot-fixes branch January 22, 2025 12:40
@ochaloup ochaloup mentioned this pull request Jan 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinkrecek martinkrecek martinkrecek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ochaloup @martinkrecek