Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: bump npm dependency ranges #8860

Merged
merged 3 commits into from Apr 7, 2024
Merged

feat: bump npm dependency ranges #8860

merged 3 commits into from Apr 7, 2024

Conversation

bradzacher
Copy link
Member

PR Checklist

Overview

  • Update the dependencies to the max minors
  • Update stylelint to its latest major
  • Commit the yarn update interactive plugin
  • Add docs about doing manual dep bumps

@bradzacher bradzacher added the dependencies Issue about dependencies of the package label Apr 6, 2024
@typescript-eslint
Copy link
Contributor

Thanks for the PR, @bradzacher!

typescript-eslint is a 100% community driven project, and we are incredibly grateful that you are contributing to that community.

The core maintainers work on this in their personal time, so please understand that it may not be possible for them to review your work immediately.

Thanks again!

🙏 Please, if you or your company is finding typescript-eslint valuable, help us sustain the project by sponsoring it transparently on https://opencollective.com/typescript-eslint.

@netlify Netlify
Copy link

netlify bot commented Apr 6, 2024
edited

Deploy Preview for typescript-eslint ready!

Name Link
🔨 Latest commit 6e45568
🔍 Latest deploy log https://app.netlify.com/sites/typescript-eslint/deploys/661322c912e95e0008ce7cf9
😎 Deploy Preview https://deploy-preview-8860--typescript-eslint.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 99 (🟢 up 8 from production)
Accessibility: 100 (no change from production)
Best Practices: 92 (no change from production)
SEO: 98 (no change from production)
PWA: 80 (no change from production)
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.

@bradzacher bradzacher changed the title chore(deps): bump deps to maximum minor ranges feat: bump npm dependency ranges Apr 6, 2024
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Apr 6, 2024
edited

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 6e45568. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

✅ Successfully ran 31 targets

Sent with 💌 from NxCloud.

@bradzacher bradzacher merged commit a6ab2cb into main Apr 7, 2024
58 of 59 checks passed
@bradzacher bradzacher deleted the bump-deps-minors-20240406 branch April 7, 2024 23:52
levrik
levrik reviewed Apr 12, 2024
View reviewed changes
packages/eslint-plugin/package.json
"semver": "^7.5.4",
"ts-api-utils": "^1.0.1"
"semver": "^7.6.0",
"ts-api-utils": "^1.3.0"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's something weird about 1.3.0 of ts-api-utils. Source code of this version does not exist on GitHub.
Also npm flags it when executing npm audit (see JoshuaKGoldberg/ts-api-utils#403).
Given the recent events with the XZ Utils backdoor, I would advise to pin this dependency to the last known version (1.2.1) to avoid any risks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoshuaKGoldberg is a maintainer of this project so can respond

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though looking at it - there is provenance data for v1.3.0
https://www.npmjs.com/package/ts-api-utils/v/1.3.0#provenance
So it's verified as being published by the github action.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bradzacher And this is the linked GitHub Actions run: https://github.com/JoshuaKGoldberg/ts-api-utils/actions/runs/8214871649/job/22467737771.

This again looks a bit suspicious...

WARNING Unable to verify if user joshuakgoldberg is a collaborator for ts-api-utils.

Unsure about the rollback of pushing the tag below. But looks a bit a bit weird at least as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm under the impression it was a transient npm issue, as mentioned in the ts-api-utils issue. I manually verified the code published matched what we expected from source. I'd encourage you to do the same if you're nervous about the release.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and this isn't the only package that had the same odd issue: nodemailer/nodemailer#1634

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@JoshuaKGoldberg JoshuaKGoldberg JoshuaKGoldberg left review comments

@levrik levrik levrik left review comments

Assignees
No one assigned
Labels
dependencies Issue about dependencies of the package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bradzacher @JoshuaKGoldberg @levrik