Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies and health files and fix linter problems #177

Merged
merged 4 commits into from
Dec 13, 2021
Merged

Update dependencies and health files and fix linter problems #177

merged 4 commits into from
Dec 13, 2021

Conversation

SethFalco
Copy link
Member

@SethFalco SethFalco commented Nov 20, 2021
edited
Loading

.github/ISSUE_TEMPLATE.md

  • Removes Slack as this doesn't appear to be running. The link was also removed from the base metalsmith repository. (metalsmith/metalsmith@0bea2ac)

README.md

  • Removes Greenkeeper as this is no longer active in favor of Snyk.

lib/index.js

package.json

  • Update all dependencies to their latest versions except multimatch which I only updated to 5.0.0. (Latest is 6.0.0)
    • Reduces vulnerabilities from 42 moderate severity vulnerabilities to 5 moderate severity vulnerabilities

Linting and tests all pass after these changes.

@webketje
Copy link
Member

Thx @SethFalco,

I have 1 main poinrt before this can be merged:

  • For the next release I'd like to keep Node >= 8 support. You can check dependency compatibility by running npm info <pkg>@* engines.node. Unfortunately the latest Node 8 compatible version for multimatch is 4.0.0, so that needs to be re-downgraded. For devDependecies the ones used in CI npm test need to be compatible with the environments they are used in. That means [email protected] and possibly others. Others can be upgraded to latest.

Stackoverflow link can be https.
I don't really agree with the ESlint rule but I don't mind following it.

@SethFalco
Copy link
Member Author

SethFalco commented Dec 11, 2021
edited
Loading

Sure, I've added the following to the package.json also just to kind of document that requirement.
I'm not sure if npm uses it, but I know yarn would automatically check against the engines when installing dependencies.

"engines": {
  "node": ">=8"
},
  • I've downgrading dependencies to meet the engine.node field of dependencies.
  • Replaced all http links with https.
  • Removed a reference to the Slack channel from the README which I just noticed.

Just noting it since it's changed from the original PR summary:
Reduces vulnerabilities from 42 moderate severity vulnerabilities to 19 vulnerabilities (16 moderate, 3 critical)

@SethFalco
Copy link
Member Author

SethFalco commented Dec 11, 2021
edited
Loading

The build fails because of the test task running with Node 6. If we're only supporting Node >= 8, I assume we can remove that and rerun this?

image

@webketje
Copy link
Member

@SethFalco Correct, I'm in the process of upgrading the plugin repo's to a common setup and that will include the travis.yml currently already available at https://github.com/metalsmith/excerpts/blob/master/.travis.yml

@webketje webketje merged commit ffbcf61 into metalsmith:master Dec 13, 2021
@SethFalco SethFalco deleted the dependencies branch January 1, 2022 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SethFalco @webketje