Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): pin dependencies #651

Merged
merged 1 commit into from Sep 25, 2020
Merged

chore(deps): pin dependencies #651

merged 1 commit into from Sep 25, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 19, 2019
edited

This PR contains the following updates:

Package Type Update Change
chai (source) devDependencies pin ^4.1.2 -> 4.1.2
ghooks devDependencies pin ^2.0.4 -> 2.0.4
in-publish devDependencies pin ^2.0.0 -> 2.0.0
mocha-junit-reporter devDependencies pin ^1.18.0 -> 1.18.0
mocha-multi-reporters devDependencies pin ^1.1.7 -> 1.1.7
proxyquire devDependencies pin ^2.1.0 -> 2.1.0
sinon (source) devDependencies pin ^6.3.4 -> 6.3.4

馃搶 Important: Renovate will wait until you have merged this Pin PR before creating any upgrade PRs for the affected packages. Add the preset :preserveSemverRanges to your config if you instead don't wish to pin dependencies.

Renovate configuration

馃搮 Schedule: At any time (no schedule defined).

馃殾 Automerge: Disabled by config. Please merge this manually once you are satisfied.

鈾伙笍 Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

馃懟 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from d1ae14d to 768e4a6 Compare Jul 20, 2019
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from c381515 to b8d09a6 Compare Aug 14, 2019
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from 4a77588 to a72d224 Compare Apr 7, 2020
@LinusU
Copy link
Contributor

@LinusU LinusU commented Apr 8, 2020

Why do we want this? 馃

Isn't the package-lock.json file better suited for this?

@renovate renovate bot force-pushed the renovate/pin-dependencies branch from a72d224 to 151b5ea Compare Apr 16, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from 89c9cd4 to ad8043d Compare May 5, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from ad8043d to c04efe1 Compare Aug 21, 2020
@codecov-commenter
Copy link

@codecov-commenter codecov-commenter commented Aug 21, 2020
edited

Codecov Report

鉂� No coverage uploaded for pull request base (master@e22dd6c). Click here to learn what that means.
The diff coverage is n/a.

@dmwelch
Copy link
Contributor

@dmwelch dmwelch commented Aug 21, 2020

@LinusU I think this just enforces pinned dependency versions...

This would prevent security breach issues like the one that happened a couple years back with event-stream by preventing users from upgrading a dependency to a newer (and possibly malicious) version. The package-lock.json file only applies when you run npm ci, so a relative version in the package.json would pull the latest version regardless of the contents of the lock file, as I understand it.

@dmwelch dmwelch self-assigned this Aug 21, 2020
@dmwelch dmwelch closed this Aug 21, 2020
@dmwelch dmwelch reopened this Aug 21, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 3 times, most recently from f1760ce to 913c1a1 Compare Aug 21, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 5 times, most recently from b0b4e6b to b1815b2 Compare Aug 25, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from cb15021 to c85dbd4 Compare Sep 14, 2020
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from c85dbd4 to 8dd2525 Compare Sep 16, 2020
@dmwelch dmwelch merged commit 4620006 into master Sep 25, 2020
8 checks passed
@dmwelch dmwelch deleted the renovate/pin-dependencies branch Sep 25, 2020
@commitizen-bot
Copy link

@commitizen-bot commitizen-bot commented Oct 20, 2020

馃帀 This PR is included in version 4.2.2 馃帀

The release is available on:

Your semantic-release bot 馃摝馃殌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmwelch dmwelch

Assignees

@dmwelch dmwelch

Labels
dependency related released
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet
5 participants
@LinusU @codecov-commenter @dmwelch @commitizen-bot @renovate-bot