You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some commitlint subpackages use "exact" dependency versions, i.e. those of the form "chalk": "3.0.0", instead of the "caret" form which allows for upgrading within a major version that are compatible under semver, the pervasive versioning system in Node. This is bad for several reasons:
It causes unnecessary downloads when users have some other packages that depend on a newer, compatible version
It complicates security upgrades: several references to lodash are still locked at an exact-resolution to a version vulnerable to prototype pollution, whereas a caret notation will allow the package manager to take a newer one on install
It makes other upgrades harder too: because of the exact nature of these definitions, a "dependency bot" is required to continuously bump the version spec so that people will use them, even when commitlint is using none of the new features.
Affected packages
cli
core
prompt
config-angular
Possible Solution
Replace all semver dependency versions with one starting with a caret ^.
The text was updated successfully, but these errors were encountered:
Some commitlint subpackages use "exact" dependency versions, i.e. those of the form
"chalk": "3.0.0"
, instead of the "caret" form which allows for upgrading within a major version that are compatible under semver, the pervasive versioning system in Node. This is bad for several reasons:lodash
are still locked at an exact-resolution to a version vulnerable to prototype pollution, whereas a caret notation will allow the package manager to take a newer one on installAffected packages
Possible Solution
Replace all semver dependency versions with one starting with a caret
^
.The text was updated successfully, but these errors were encountered: