-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please allow minor and patch updates #129
Comments
a new |
I can give an example: Gatsby was recently updated to version 4.6. They have a transient dependency on As you point out yourself, *) Dependency graph: (I hope this description was somewhat readable, and that I didn't mess up any of the version numbers.) |
Do you have any updates to this issue? |
This is a security issue, +1 |
Would it be possible release a parallel version of I don't know exactly how this would work. If an issue is found, it would require that the users are skilled enough to switch this version of |
I had to get rid of the this package and switch to ESM modules, so I can install newest version of node-fetch. node-fetch v3 only supports ESM modules and I needed it for apollo to work. Such a headache... |
Allowing MINOR and PATCH updates in |
Sorry for asking aging, but do you have any updates to this issue, @lquixada? To me, it seems like a small change to make, but I would very much like to hear if you don't agree. |
@janaagaard75 Sorry for the late reply. I feel the discussion boils down to "no range" vs "caret range" vs "tilde range". So first let me address why "tilde range" might not be a good idea: TLDR is "caret range" > "tilde range". That leaves us with the "no range" vs "caret range" dilemma. Currently a comprehensive suite of tests run against However I'm leaning toward adding
Ideally dependent packages such as |
Thanks a lot. Not only for merging the pull request @lquixada, but also for detailing why you prefer the caret over the tilde. |
Hi cross-fetch. I would like to understand why this repository isn't allow minor and patch updates to the dependencies. My best guess is that the tighter control allows you to avoid issues that might occur because a dependency was updated, but is that really happening that frequently? Even if you guys are fast to patch your dependencies, not allowing minor and patch updates puts a pretty big update burden on all the packages that use cross-fetch.
The text was updated successfully, but these errors were encountered: