Skip to content

chore(deps): pin dependencies #651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2020
Merged

chore(deps): pin dependencies #651

merged 1 commit into from
Sep 25, 2020

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 19, 2019
edited
Loading

This PR contains the following updates:

Package Type Update Change
chai (source) devDependencies pin ^4.1.2 -> 4.1.2
ghooks devDependencies pin ^2.0.4 -> 2.0.4
in-publish devDependencies pin ^2.0.0 -> 2.0.0
mocha-junit-reporter devDependencies pin ^1.18.0 -> 1.18.0
mocha-multi-reporters devDependencies pin ^1.1.7 -> 1.1.7
proxyquire devDependencies pin ^2.1.0 -> 2.1.0
sinon (source) devDependencies pin ^6.3.4 -> 6.3.4

📌 Important: Renovate will wait until you have merged this Pin PR before creating any upgrade PRs for the affected packages. Add the preset :preserveSemverRanges to your config if you instead don't wish to pin dependencies.

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from d1ae14d to 768e4a6 Compare July 20, 2019 06:53
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from c381515 to b8d09a6 Compare August 14, 2019 14:40
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from 4a77588 to a72d224 Compare April 7, 2020 21:20
@LinusU
Copy link
Contributor

LinusU commented Apr 8, 2020

Why do we want this? 🤔

Isn't the package-lock.json file better suited for this?

@renovate renovate bot force-pushed the renovate/pin-dependencies branch from a72d224 to 151b5ea Compare April 16, 2020 10:56
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from 89c9cd4 to ad8043d Compare May 5, 2020 12:26
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from ad8043d to c04efe1 Compare August 21, 2020 18:17
@codecov-commenter
Copy link

codecov-commenter commented Aug 21, 2020
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@e22dd6c). Click here to learn what that means.
The diff coverage is n/a.

@dmwelch
Copy link
Contributor

dmwelch commented Aug 21, 2020

@LinusU I think this just enforces pinned dependency versions...

This would prevent security breach issues like the one that happened a couple years back with event-stream by preventing users from upgrading a dependency to a newer (and possibly malicious) version. The package-lock.json file only applies when you run npm ci, so a relative version in the package.json would pull the latest version regardless of the contents of the lock file, as I understand it.

@dmwelch dmwelch self-assigned this Aug 21, 2020
@dmwelch dmwelch closed this Aug 21, 2020
@dmwelch dmwelch reopened this Aug 21, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 3 times, most recently from f1760ce to 913c1a1 Compare August 21, 2020 23:16
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from b0b4e6b to b1815b2 Compare August 25, 2020 20:27
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from cb15021 to c85dbd4 Compare September 14, 2020 14:28
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from c85dbd4 to 8dd2525 Compare September 16, 2020 19:08
@dmwelch dmwelch merged commit 4620006 into master Sep 25, 2020
@dmwelch dmwelch deleted the renovate/pin-dependencies branch September 25, 2020 17:14
@commitizen-bot
Copy link

commitizen-bot commented Oct 20, 2020

🎉 This PR is included in version 4.2.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dmwelch dmwelch dmwelch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dmwelch dmwelch

Labels

dependency related released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@LinusU @codecov-commenter @dmwelch @commitizen-bot @renovate-bot