-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mismatched dependency versions #5943
Comments
Do you want to create a PR for this @NewEraCracker ? :) |
I created a PR for the |
There is another one that should be urgently looked at by the maintainers: This is new version it is important to update: https://github.com/pillarjs/encodeurl/releases/tag/v2.0.0 Express is on latest, but Edit: This also affects The workaround for now is (and it may not be possible for everyone if other dependencies use a completely different version):
My two cents. |
For the serve static and send part: #5951 |
For qs: #5946 We are already on I think that means we can close this? |
Oh! https://github.com/expressjs/serve-static/blob/1.x/package.json#L9C6-L9C15 Sorry, I should have seen this. I just bumped that lib with only the send update, I guess we will do another patch. |
And finalhandler: pillarjs/finalhandler#62 and the PR into express: #5954 |
Is there a reason that Express pins dependencies like this? I could maybe see the argument to pin third-party packages (though I'd say this is far more uncommon than not in the JS ecosystem), but it's not clear to me why dependencies from the |
We are removing these pins in v5. This is historical from when the ecosystem was MUCH more volatile and the entire project was primarily maintained by one person. It made more sense then, it makes less sense now. EDIT: You can see we use |
Prepping this release: https://github.com/expressjs/express/compare/4.20.0..4.x |
send@0.19.0 depends on: I'll continue forcing it on my overrides to workaround: |
Does it make sense to introduce patch updates for packages in v4 in that case? It's a simple change which could simplify fix on the project level at least a bit more
We can't predict when it will happen again. v5 adoption will take some time and I would prefer to stay on v4 for now. It can be limited to the packages that you have already changed. So you can avoid adding it blindly to every package.
|
We are working on those patches. But with the time commitment this week from the release I needed to spend some time on my actual job today. v4 is absolutely still the main line version of express and is fully supported. We will be publishing more docs soon about it, just please be patient with us. :) EDIT: been a long day, I am re-reading your post and thinking maybe now you are asking if we should move to |
I propose:
Please see:
ec4a01b#commitcomment-146499333
4c9ddc1#commitcomment-146501448
So, bump where applicable the following two packages:
My two cents.
Related:
Linking more related issues:
The text was updated successfully, but these errors were encountered: