Update dependencies that were effectively downgraded & remove some unused dependencies

[realityking]

🚀 Why this change?

In the move to fixed dependency versions (f0f200b) some dependencies were effectively downgraded as there was a newer, in-range, version at the time.

While looking at the dependencies, I also found some unused dev dependencies:

• coffee-coverage isn't used anymore after decaffeinating

Many more things that are outdated but this seem like obvious wins 🙂

📝 Related issues and Pull Requests

✅ What didn't I forget?

• To write docs
• To write tests
• To put Conventional Changelog prefixes in front of all my commits and run npm run lint

[honzajavorek]

Thanks! This is definitely a good idea. It will take me some time to check licensing etc. of the packages, will track the progress here:

• async@2.6.0
• chai@4.1.2
• cross-spawn@5.1.0
• glob@7.1.2
• js-yaml@3.10.0
• markdown-it@8.4.1
• proxyquire@1.8.0
• uuid@3.2.1
• which@1.3.0
• winston@2.4.0 - depending on cycle@1.0.3, which is Public Domain, which is not pre-approved in Oracle (unlike The Unlicense) and needs to be checked by lawyers first
• eslint-config-airbnb-base@11.3.0 - The npm packages get distributed without licenses airbnb/javascript#1744

[honzajavorek]

@realityking I think once the eslint-config-airbnb-base is sorted, we're good to go, but without winston for now. With regard to #765 and the long-term intention to replace winston with something like debug I'm honestly a bit lazy to proceed with the upgrade internally right now.

[realityking]

Thanks @honzajavorek! I pushed a new version without the bump for winston.

As for eslint-config-airbnb-base, that's already a dependency through eslint-config-airbnb but I'm happy to split this into another PR.

[honzajavorek]

I'm happy to split this into another PR

Let's wait just a little bit, my hunch would be this one could get resolved in a timely manner. It's Airbnb, they could care about licensing 😄

[ljharb]

Note that the "license" field in package.json, which is SPDX-compliant, is more than sufficient, the actual LICENSE file is not required. (that said, I've merged airbnb/javascript#1746)

[honzajavorek]

@ljharb Thanks! 👍 I answered to your comment under airbnb/javascript#1746.

[realityking]

Based on the above discussion I removed the eslint-config-airbnb since I assume you'll want to update to a version that includes the License file.

I'll open a separate PR to track that.

[ljharb]

With or without the license file, the dependency is MIT licensed; there should be no need to remove it.

[honzajavorek]

@ljharb I'm sorry, but it seems the interpretation may differ from lawyer to lawyer. In that case, I may have the bad luck of having stricter lawyers behind my back. They require me to have only dependencies with copyright notice including a copyright holder and with a full license text.

Vast majority of projects I've seen on npm or elsewhere just include the full license text, even the smallest ones. (Probably thanks to GitHub, which puts you the license file into the repo from the very beginning.) Observing that, I have no particular reason to fight our lawyers and persuade them that three letters are enough. I've seen myself projects using MIT licenses, but with their license wording being slightly different. I've seen MIT in package.json and a completely different license text or dual licensing in the LICENSE file. It can be quite a mess. So I suppose this is mostly defensiveness and just being 100% sure what were the intentions of the project author.

I'm happy to go and contribute licenses anywhere where they're missing or file issues for discrepancies, because licenses are important, it's the main glue of the FOSS.

That said, we started to properly care about licenses just about recently and any dependencies we're already using previously are a priori pardoned. So when talking about removing eslint-config-airbnb from this PR, it's just about not upgrading its version yet, not removing the dependency from the project 🙂 (cc @realityking )

[honzajavorek]

@realityking btw I'm sorry for the failing Windows builds, they got very flaky recently. I plan to focus on fixing them, but until that time I'll keep retrying the builds for you 😕

[realityking]

@honzajavorek Looks like this all passes now :)

[honzajavorek]

💃

[realityking]

@honzajavorek Would it be possible to release a new minor version that includes this PR? 🙂

[honzajavorek]

Ha, I haven't noticed it's classified as chore:. If it was feat: or fix:, it gets autoreleased. Hmm...

[realityking]

Ah, good to know. Now I wish I had made #979 a fix: - I was debating that 😆

[realityking]

I had another PR I wanted to make this week - let me do that now and I'll put it in as a fix :)

[honzajavorek]

Yeah, I think fix fits better. Maybe I can find time to do upgrades on Dredd Transactions and to release a new Dredd with those propagated.

[honzajavorek]

Decided not to block on DT or other PRs, this resolves the issue: #980