Address vuln in semver (bump simple-update-notifier & semver) #2118
Conversation
✅ Deploy Preview for nodemon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Not an issue for me, but... semver 7.x needs node 10+. The nodemon package.json says: Which means this could be a breaking change for 'someone' out there. |
|
Support for Node 8 ended 3 years and 5 months ago (31 Dec 2019). Even support for Node 10 ended 2 years ago (30 Apr 2021). See https://endoflife.date/nodejs The |
This comment was marked as resolved.
This comment was marked as resolved.
|
Then we wait until a fix is merged into the master of simple-update-notifier. |
|
Firstly, sorry for late replies. Gmail has been slurping a lot of legit emails into spam, so I've missed a lot (including replies to emails I've sent my own family). Regarding support for older node versions that @aren55555 mentions, I'll explain: node 8 was easy to support for a long time with little to no changes. Since I come from the web and backward compatibility is the gold standard, and when it was easy to do, I did. I'd only drop an older version of node of there was a really good reason (like the version of node flat out couldn't support some feature). I'm happy to drop node 8 if semver simply can't support it, but I'll only go to the lowest common version (which I'd expect is 10, but again, happy to push higher if it's required). Some people are in companies that can't easily upgrade, and it's important to me to try to help them as long as I can. Aside, I'm sure the author of the updater script will be happy to merge a pr - the module development was driven by stale support in the original updater and nodemon relying on it. (Completely aside, I'd love to know what changed in semver that meant they had to drop support for node 8 - I'm guessing native await support, but I'll have to take a gander). Thanks to everyone bringing this up. |
|
I think it's can be good: I tested the most common methods from
But when I use any other method, every line works fine (including the Since the @remy, I would like your opinion about that. |
|
Version 2.0.0 of It is a major version update because it officially drops support for node 8, however it still appears to work with node 8, but you'll get an error when running For this PR you might also want to update the package.json to Node 8 workaroundRun yarn with |
|
Thanks @Primexz 🚀 |
|
Can we get this merged and published ? |
remy
changed the title
|
I've merged this - along with some other changes at the same time. Tests are doing something weird, but I've validated them manually and I'm happy. The whole CI system is a little brittle (due to the way the tests need to constantly spawn processes), but if it releases you should see this in nodemon@3. The first major release in a long time (and hopefully the last, I really don't like breaking changes, but it absolutely makes sense to finally drop official support for node@8). |
|
🎉 This PR is included in version 3.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
fix some vulns