chore: update some nonbreaking major packages #26709
Conversation
gatsbot
bot
added
the
status: triage needed
hoobdeebla
changed the title
This reverts commit 8aba54e. Moved to gatsbyjs#26711
…acro, rewire, strip-ansi, webpack-merge
…ntation.js, node-fetch
webpack-merge now ships its own type definitions as of v5
…in, mitt, npm-package-arg, plop
|
@hoobdeebla Thank you so much for doing this! Can you fix conflicts? I'll get this in after that 🙌 |
sidharthachatterjee
removed
the
status: triage needed
| @@ -10,7 +10,7 @@ import { createUrqlClient } from "../../urql-client" | |||
| import { useMutation, useSubscription } from "urql" | |||
|
|
|||
| import lodash from "lodash" | |||
| import fetch from "isomorphic-fetch" | |||
| import fetch from "cross-fetch" | |||
There was a problem hiding this comment.
Why switch to cross-fetch?
| import fetch from "cross-fetch" | |
| import fetch from "cross-fetch" |
There was a problem hiding this comment.
Why not isomorphic-fetch?
My preferred library used to be isomorphic-fetch but it has this bug that prevents it from running in a react native environment. It seems unlikely to be fixed since there haven't been any new commits to it since 2016. That means dependencies are outdated as well.
There was a problem hiding this comment.
Additionally, isomorphic-fetch uses node-fetch@1, which is vulnerable to CVE-2020-15168 (disclosed yesterday).
There was a problem hiding this comment.
In saying that, cross-fetch uses exact version constraints so is also currently affected by the same advisory
They're released a new version that updates node-fetch 🎉
There was a problem hiding this comment.
Pulled out this security fix into its own PR here: #26876
There was a problem hiding this comment.
Thank you @karlhorky! Beat me to it haha
| @@ -2,7 +2,7 @@ | |||
| "use strict"; | |||
| const fs = require("fs"); | |||
| const path = require("path"); | |||
| const glob = require("glob"); | |||
| const glob = require("globby"); | |||
There was a problem hiding this comment.
Why switch here but not on different places?
There was a problem hiding this comment.
gatsby-theme was using both glob and globby. Including two different glob libraries in one package seemed redundant to me, so I just chose one over the other. glob works fine everywhere else, so I didn't change it across the whole monorepo
…js-combinatorics, jscodeshift, raw-loader, url-loader, verdaccio, webpack-stats-plugin
…sv, md5-file, unpin unnecessarily pinned packages
…ander, csvtojson, dataloader, deep-map-keys, escape-string-regexp, yargs, remove unused deep-map dependency
|
Some new updates:
Jest was kept back at v25 because v26 is incompatible with Node <10.14.2. Gatsby supports Node >=10.13.0. Will mark as ready for review once #25546 lands |
…pack-plugin, loader-utils
|
@hoobdeebla Thank you for putting in the effort. As we've seen in the past, updating packages comes with a risk. Even if there are no breaking changes, there might be subtle ones (#26259). We're happy to accept partial updates in smaller PRs. Perhaps update them by plugin 🤷. I've also updated our renovate config to make it easier for us to merge renovatebot PRs |
|
Thanks @wardpeet for focusing on stability!! I've been thinking and talking about this a lot lately: https://twitter.com/karlhorky/status/1304107463764045824 Smaller PRs would be great, maybe with adding some tests with each one. |
|
I'm reworking our circle-ci tests so we can add more e2e-tests to cover more ground. |
Updates the following dependencies to newer (sometimes major) versions but does not break any code.
1.0.0->^2.0.0^12.3.0->^13.0.2^2.2.1->^4.0.2^3.13.0->^4.7.0^3.1.1->^4.0.0^1.7.0->^4.1.0^2.0.6->^3.0.0^1.2.1->^2.0.0^10.0.2->^11.0.1^6.5.2->^7.3.3^0.2.1->^1.0.0^3.2.3->^5.0.0^3.1.10->^4.0.2^0.8.1->^0.11.2^1.2.0->^2.1.0^1.7.3->^2.6.1^6.1.1->^8.0.1^3.0.0->^4.0.0^2.4.2->^6.6.1^0.0.2->^1.2.0^3.0.0->^5.0.0^1.9.1->^2.7.4^3.0.0->^5.0.0^3.3.0->^5.2.1^4.0.1->^5.0.0^1.2.2->^4.0.2^5.2.0->^6.0.0^2.1.0->^3.0.2^2.3.6->^3.0.0^1.1.2->^2.1.1^4.2.2->^5.1.4