Fix tests and large number of security vulnerabilities #18
Conversation
Bumps [axios](https://github.com/axios/axios) from 0.21.1 to 0.21.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v0.21.2/CHANGELOG.md) - [Commits](axios/axios@v0.21.1...v0.21.2) --- updated-dependencies: - dependency-name: axios dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.19 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.19...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bump axios from 0.21.1 to 0.21.2
Bump lodash from 4.17.19 to 4.17.21
Bumps [ini](https://github.com/npm/ini) from 1.3.5 to 1.3.8. - [Release notes](https://github.com/npm/ini/releases) - [Changelog](https://github.com/npm/ini/blob/main/CHANGELOG.md) - [Commits](npm/ini@v1.3.5...v1.3.8) --- updated-dependencies: - dependency-name: ini dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.3. - [Release notes](https://github.com/yargs/y18n/releases) - [Changelog](https://github.com/yargs/y18n/blob/y18n-v4.0.3/CHANGELOG.md) - [Commits](yargs/y18n@v4.0.0...y18n-v4.0.3) --- updated-dependencies: - dependency-name: y18n dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bump ini from 1.3.5 to 1.3.8
Bump y18n from 4.0.0 to 4.0.3
Bumps [ws](https://github.com/websockets/ws) from 5.2.2 to 5.2.3. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@5.2.2...5.2.3) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [hosted-git-info](https://github.com/npm/hosted-git-info) from 2.7.1 to 2.8.9. - [Release notes](https://github.com/npm/hosted-git-info/releases) - [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md) - [Commits](npm/hosted-git-info@v2.7.1...v2.8.9) --- updated-dependencies: - dependency-name: hosted-git-info dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…fo-2.8.9 Bump hosted-git-info from 2.7.1 to 2.8.9
Bump ws from 5.2.2 to 5.2.3
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/jbgutierrez/path-parse/releases) - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) --- updated-dependencies: - dependency-name: path-parse dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [tar](https://github.com/npm/node-tar) from 4.4.8 to 4.4.19. - [Release notes](https://github.com/npm/node-tar/releases) - [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v4.4.8...v4.4.19) --- updated-dependencies: - dependency-name: tar dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bump tar from 4.4.8 to 4.4.19
Bump path-parse from 1.0.6 to 1.0.7
Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/daaku/nodejs-tmpl/releases) - [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5) --- updated-dependencies: - dependency-name: tmpl dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bump tmpl from 1.0.4 to 1.0.5
Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.7.0 to 6.12.6. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.7.0...v6.12.6) --- updated-dependencies: - dependency-name: ajv dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bump ajv from 6.7.0 to 6.12.6
|
@joshjordan The issue we ran into yesterday was that the prepack ran compile, and compile was broken because dev dependencies aren't installed. Anytime that prepack runs without development dependencies, I can't imagine that there are many cases where it would succeed. Yarn handles it fine. Checking in dist accounts for the case where some versions of some package managers don't run prepack upon a Git checkout, but for those that do, running it shouldn't hurt anything. I just looked into using "prepare" instead of "prepack." This is really weird: In NPM < 7, according to npm/cli#1865 (comment) :
Of course, in order to fully engulf the dumpster that is JS build tooling in flames, other package managers don't support prepare at all, only prepack. And then, for mysterious and unadvertised reasons, they stopped installing dev dependencies for NPM >= 7, so the prepare script wouldn't work, but it would be run. This seems to suggest that things are fixed as of 8.5.2: @joshjordan what NPM version did you run into this problem with? References: |
Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2. - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) --- updated-dependencies: - dependency-name: decode-uri-component dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.18.9 to 7.23.7. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.7/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](json5/json5@v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [tough-cookie](https://github.com/salesforce/tough-cookie) from 4.0.0 to 4.1.3. - [Release notes](https://github.com/salesforce/tough-cookie/releases) - [Changelog](https://github.com/salesforce/tough-cookie/blob/master/CHANGELOG.md) - [Commits](salesforce/tough-cookie@v4.0.0...v4.1.3) --- updated-dependencies: - dependency-name: tough-cookie dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [axios](https://github.com/axios/axios) from 0.22.0 to 0.28.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v0.28.0/CHANGELOG.md) - [Commits](axios/axios@v0.22.0...v0.28.0) --- updated-dependencies: - dependency-name: axios dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.1 to 1.15.6. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.1...v1.15.6) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…_and_yarn/follow-redirects-1.15.6 Bump follow-redirects from 1.15.1 to 1.15.6
…_and_yarn/axios-0.28.0 Bump axios from 0.22.0 to 0.28.0
…_and_yarn/tough-cookie-4.1.3 Bump tough-cookie from 4.0.0 to 4.1.3
…_and_yarn/json5-2.2.3 Bump json5 from 2.2.1 to 2.2.3
…_and_yarn/babel/traverse-7.23.7 Bump @babel/traverse from 7.18.9 to 7.23.7
…_and_yarn/decode-uri-component-0.2.2 Bump decode-uri-component from 0.2.0 to 0.2.2
Bumps [braces](https://github.com/micromatch/braces) to 3.0.3 and updates ancestor dependencies [braces](https://github.com/micromatch/braces), [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [ts-jest](https://github.com/kulshekhar/ts-jest). These dependencies need to be updated together. Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `jest` from 26.6.3 to 29.7.0 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v29.7.0/packages/jest) Updates `ts-jest` from 26.5.6 to 29.2.5 - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](kulshekhar/ts-jest@v26.5.6...v29.2.5) --- updated-dependencies: - dependency-name: braces dependency-type: indirect - dependency-name: jest dependency-type: direct:development - dependency-name: ts-jest dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
…m_and_yarn/multi-2e8a4eb4c4 Bump braces, jest and ts-jest
| @@ -1,6 +1,5 @@ | |||
| *.idea | |||
| node_modules | |||
| *.log* | |||
| /dist | |||
There was a problem hiding this comment.
Whoa! This one's more than two years old.
That's really why -- we use dist as a simple mechanism to publish so we don't have to put a competing module up in npm. We hadn't seen activity in this repo and so that's where we stuck the compiled code.
I do not think it needs to be included for the main repo if the main repo is starting to get updates again.
There was a problem hiding this comment.
And to be clear, I think this is because the PR is continuing to pull in our latest commits. When we included dist, it was after we'd given up that we'd get this PR merged.
There was a problem hiding this comment.
Hahaha, I missed the ping before, and for some reason GH pinged me again just yesterday, hence the question :)
As I am not using the lib anymore myself, would you like to be added as a contributor to keep maintaining it?
There was a problem hiding this comment.
However, it is probably easier to just redirect people to your fork
There was a problem hiding this comment.
Sure! I am open to doing it either way. I'd like to maintain this -- we have security patches as well as some new features to add. Its a great library, thank you for it.
Would you like to do the Transfer Ownership function so GH does an automatic redirect? I can drop the supervillain-software-group repo if so so we can keep all the repo history in the main one.
There was a problem hiding this comment.
Happy to do so! Could you rename your fork to anything else?
There was a problem hiding this comment.
@aigoncharov done! Sorry for that. I deleted it and will bring my local commits in after transfer.
No description provided.