Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Bump lodash.mergewith from 4.6.1 to 4.6.2 #5700

Merged
merged 1 commit into from
Jul 15, 2019
Merged

[security] Bump lodash.mergewith from 4.6.1 to 4.6.2 #5700

merged 1 commit into from
Jul 15, 2019

Conversation

marcdumais-work
Copy link
Contributor

@marcdumais-work marcdumais-work commented Jul 12, 2019
edited
Loading

see: https://github.com/lodash/lodash/issues/4348

Note: at first I thought I would attempt to also cover the update of lodash.template in this PR, but:

  • this is only a dev-dependency, that's not used in production, so somewhat less of a concern
  • going down the rabbit hole, we would have to update to lerna: 3.x, which is a big change, that I do not have time to tackle ATM

I'll post a separate draft PR for lodash.template

@marcdumais-work
Copy link
Contributor Author

Note: this is a minor production dependency update, for which we usually do not need to do anything special, IP-wise. I have still confirmed that the new version still looks good, license-wise, by checking their GH repo.

vince-fugnitto
vince-fugnitto approved these changes Jul 15, 2019
View reviewed changes
Copy link
Member

@vince-fugnitto vince-fugnitto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me, the CI passes and it's a micro version update (bug fix)
Also, it looks like the deprecated @theia/extension-manager is the one pulling it through the sanitize-html dependency.

akosyakov
akosyakov approved these changes Jul 15, 2019
View reviewed changes
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, since it is not a runtime dependency

@marcdumais-work
Copy link
Contributor Author

ok, since it is not a runtime dependency

@akosyakov actually this one is technically a runtime dependency, though as noted by @vince-fugnitto it's pulled from the extension manager, which is deprecated. Does that change your approval of this PR?

@akosyakov
Copy link
Member

no, the extension manager should not be used by anyone

@marcdumais-work marcdumais-work merged commit 1ef5e13 into master Jul 15, 2019
@marcdumais-work marcdumais-work deleted the lodash.mergewith branch July 15, 2019 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vince-fugnitto vince-fugnitto vince-fugnitto approved these changes

@akosyakov akosyakov akosyakov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marcdumais-work @akosyakov @vince-fugnitto