Do not fix the deps version #11
Comments
|
We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2 |
Appreciate for your answer, but your answer DO NOT HELP AT ALL. Your answer make me have new questions:
|
|
I just have a carefull look at the two org Are they actually the same? The the utils repo seems to be the same. Why should a project be posted on different repo on different orgs, with different package name while not published sync and metioned nothing in readme? |
|
Try digging out the answers on your own. next-theme/hexo-theme-next#4. |
This answer is even not in this repo, I DO NOT think I should open every repo undert the 2 orgs and have a look at every issue and discusstion. I searched this repo, and I think this should be fine. And:
I apreciate for your help and answer, but it's still not helping with this issse. The lodash security problem is still not yet fixed. Both of you are answering something related and do have some help explaining the issue, but no help with fixing. This package is on my toolchain, which means I do not care how this issue happens, while I only care about when can this issue been fixed. I am opening this issue politely and provided the necessay infomation. but still yet bothering for 2 month and receiving some none help replys. That's disappointing.( I know this is an open source, but at least we should all agree it's not good to behave like this) |
|
I do not think this fix is hard, just call someone and publish |
theme-next/next-util isn't having activities. Moreover, @theme-next hasn't got any commit for more than 1 year.
If "the team" means @next-theme, then we can. But I don't think there's a need to update every repo's readme, as one should know which to use by a simple look on the repos' recent commits.
Where did you find the old repo getting newer versions? Only by the version number?
You just asked "Are they" and "Why" in your last reply. Then my last reply links to the answer. For the "when" problem, no one knows. Few of us would like to ask for ETA. You know this is an open source, so if there's anything making you disappointed, you always have a choice to publish your npm package. We are not forcing you to use this. |
|
Fine, do any thing you like. I will swallow my aggressive words. But do you acutally think the first reply is helpful?
What's the link for? What do he want to express
Is it true?
Joking. Do you leave the security issues in your work projects? ETA for security should be definitely as soon as possible.. I have a few open source projects like waline and vuepress-theme-hope Both of them have hundreds of stars, I will surely blame myself, if I am posting some wrong answers which is not helpful in my repo issues. And I will also blame myself if I am not helping and waste others time when I could . Also I will surely fix any security problems as soon as possible. Anyway, F word. |
It's almost unpossiable for a library like lodash to make breaking changes in minor or patch versions, so why are you guys fixing the version?
If you set the version using
^then we can fix the security problems by upgrading deps tree instead of waiting you to publish new versions and bear the security alert every day.The text was updated successfully, but these errors were encountered: