-
Notifications
You must be signed in to change notification settings - Fork 840
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade all patch- and minor level packages. #670
Conversation
Bumps [hosted-git-info](https://github.com/npm/hosted-git-info) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/npm/hosted-git-info/releases) - [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md) - [Commits](npm/hosted-git-info@v2.8.8...v2.8.9) Signed-off-by: dependabot[bot] <support@github.com>
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.3. - [Release notes](https://github.com/yargs/y18n/releases) - [Changelog](https://github.com/yargs/y18n/blob/y18n-v4.0.3/CHANGELOG.md) - [Commits](yargs/y18n@v4.0.0...y18n-v4.0.3) --- updated-dependencies: - dependency-name: y18n dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/jbgutierrez/path-parse/releases) - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) --- updated-dependencies: - dependency-name: path-parse dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/daaku/nodejs-tmpl/releases) - [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5) --- updated-dependencies: - dependency-name: tmpl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
….0.3' into upgrade/greens-and-yellows
….0.5' into upgrade/greens-and-yellows
…-git-info-2.8.9' into upgrade/greens-and-yellows
…arse-1.0.7' into upgrade/greens-and-yellows
I updated this PR with adding all currently open dependabot PRs so it can all be tested together, making it less work at least from my point of view. |
Could you share those details? Which production dependency are you referring to? AFAIK the |
fixed in #671 thanks for reminder to update dev dependencies |
Thanks for solving this issue! |
Description
I ran
yarn upgrade-interactive
and since all the packages listed as possible to upgrade were either patch- or minor upgrades, they should be safe.This PR does all those upgrades, as it seems dependabot did not get around to handling all of them.
Motivation and Context
We've discovered a vulnerable package is used by this package, and as this is a production issue, we want to get it patched and are able to help making that happen.
How has this been tested?
Looking for any already implemented test code now. Will also test this in our product that depends on this.
Types of changes
Checklist: