Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: bump json5 and minimist #11276

Merged
merged 2 commits into from Mar 18, 2020

Conversation

JLHwung
Copy link
Contributor

@JLHwung JLHwung commented Mar 18, 2020

Q                       A
Fixed Issues? Resolves #11274
Any Dependency Changes? json5 is bumped
License MIT

@JLHwung JLHwung added PR: Internal 🏠 A type of pull request used for our changelog categories PR: Dependency ⬆️ labels Mar 18, 2020
@@ -7350,11 +7345,11 @@ mkdirp-promise@^5.0.1:
mkdirp "*"

mkdirp@*, mkdirp@^0.5.0, mkdirp@^0.5.1:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ATTENTION: I have manually touched yarn.lock and resolve mkdirp@* to mkdirp@0.5.3 because of ahmadnassri/mkdirp-promise#88.

And likely because of https://classic.yarnpkg.com/en/docs/selective-version-resolutions#toc-limitations-Caveats, adding resolutions: "mkdirp-promise/**/mkdirp": "^0.5.3" to package.json does not work on my local builds.

🤯

@JLHwung
Copy link
Contributor Author

JLHwung commented Mar 18, 2020

The unpatched minimalist still exists in our devDependencies because of handlebars > optimist > minimist. The optimist has been long unmaintained and handlebars@5.alpha has replaced optimist by yargs. Before handlebars@5 is published, we have to live with that.

3 vulnerabilities comes from the handlebars > optimist > minimist dependency chain.

@nicolo-ribaudo nicolo-ribaudo merged commit 48d53f8 into babel:master Mar 18, 2020
@github-actions github-actions bot added the outdated A closed issue/PR that is archived due to age. Recommended to make a new issue label Jun 18, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
outdated A closed issue/PR that is archived due to age. Recommended to make a new issue PR: Dependency ⬆️ PR: Internal 🏠 A type of pull request used for our changelog categories
Projects
None yet
Development

Successfully merging this pull request may close these issues.

@babel/core: Upgrade json5 to 2.1.2
4 participants