Feature: --age or --filterMeta #5597
Comments
|
We kind of already have something similar but only for subdependencies. See the |
|
Nice setting! But it doesn't cover the problem properly. |
|
I don't agree. Even if you remove the lockfile, your direct dependency will not be updated to the latest version because with this resolution mode, the range will be resolved to the lowest version. So And an update is a manual action, so you should do your own research when you do an update. We can probably print the age of the version in the output, when you run
|
|
But this way, we introduce a high friction to the update process which result to either a developer won't update the dependencies regularly or will update them to the latest because this is the easiest thing to do. |
|
Well, updating to the latest is the only good choice to make. It is very rare that bug fixes are ported back to previous versions. |
|
I think even if we add an age option, I would skip updates to packages that have younger versions. Updating to a new version that is not the latest one sounds like a bad idea because it may have a regression that was fixed in the newer version. |
@zkochan it may happen, but it isn't common. I'm way more afraid of packages that delete my whole computer or something. |
Describe the user story
As a developer, I want to update to the latest version that was published at least x days ago.
This gives security tools a chance to check these versions before we consume them.
A relevant issue from
npm-check-updates: raineorshine/npm-check-updates#833Describe the solution you'd like
Add
--ageor--filterMetaflag to thepnpm updatecommand.Describe the drawbacks of your solution
ageflag, we need to make sure we check against the correct field and make appropriate changes if the field changes in the future (low risk)Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: