Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dependencies #24

Merged
merged 12 commits into from
Apr 16, 2023
Merged

Update Dependencies #24

merged 12 commits into from
Apr 16, 2023

Conversation

barnardb
Copy link
Contributor

I have a project that has a dependency on GrammKit, and the current exact-version requirements in package.json are problematic as they pin older dependency versions that now have known vulnerabilities.

This PR upgrades a number of dependencies, and changes all dependencies in package.json to caret "compatible with version"-style dependencies for the benefit of projects depending on GrammKit.

I left bootstrap-css-only at 3.3.7 instead of upgrading to 4.4.1, as this broke the styling visible in the browser when running npm run dev.

I upgraded ohm-js to 15.5.0 instead of 17.0.4, as version 16 introduced a breaking change that I didn't want to tackle in this PR.

barnardb added 12 commits April 16, 2023 15:15
@barnardb
Update dependencies (without changing major version)
03ad213
@barnardb
Commit package-lock.json, as recommended
833e2aa 
See https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json
@barnardb
Upgrade to commander 10.0.1
1ccd3e8
@barnardb
Upgrade to eslint 8.38.0
a48c717
@barnardb
Upgrade to react 18.2.0
a1d735a
@barnardb
Use React 18's new root API
80b5f89 
See reactwg/react-18#5

This resolves the warning about the legacy API that was displayed
in the browser console following the upgrade to react 18.
@barnardb
Upgrade to ohm 15.5.0
ee0864f 
Ohm 17.0.4 is avaialable, but version 16 included a breaking change
that I don't want to handle right now:
https://ohmjs.org/docs/releases/ohm-js-16.0#default-semantic-actions
@barnardb
Upgrade to jsesc 3.0.2
d859f5c
@barnardb
Upgrade to jest 29.5.0
d51469e
@barnardb
Convert remaining dependencies to "Compatible with version" requirement
5fd3c9f 
If there are ever bugfix/security updates to these dependencies,
this will allow users to pull them in automatically.
@barnardb
package-lock.json changes introduced by npm audit fix
be256e6
@barnardb
Use upstream parcel-plugin-pegjs
e3910d9 
It looks like the changes from the dundalek fork have made it into
the original jtenner plugin.
@barnardb barnardb mentioned this pull request Apr 16, 2023
Closed
barnardb added a commit to softwaretechnik-berlin/flexivis that referenced this pull request Apr 16, 2023
@barnardb
Use GrammKit fork with updated dependencies to address audit issues
eb22697 
We can go back to mainline GrammKit once
dundalek/GrammKit#24 is merged.
@dundalek
Copy link
Owner

Thanks!
It looks like the upgrade also broke the CLI, e.g. ./cli.js examples/sparql.ebnf. But it seems that downgrading commander makes it work again, and it does not report vulns.
I will merge the PR, downgrade commander and bump a release.

@dundalek dundalek merged commit a567279 into dundalek:master Apr 16, 2023
@dundalek
Copy link
Owner

Published 0.7.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@barnardb @dundalek