Conversation
barronhagerman
left a comment
barronhagerman
left a comment
There was a problem hiding this comment.
I don't think this will fix any of the open dependabot alerts. Also, was upgrading to Yarn 4 intended? It looks like #25 should fix all of the lodash vulnerabilities.
| linkType: hard | ||
|
|
||
| "lodash@npm:^4.17.15": | ||
| version: 4.17.21 |
There was a problem hiding this comment.
https://github.com/Banno/banno-plugin-framework-bridge/security/dependabot/28 says the earliest patched version is 4.18.0, and #25 is already open to do that.
There was a problem hiding this comment.
you're right, 25 does look like it would fix it. I didn't see that linked from the dependabot alert: https://github.com/Banno/banno-plugin-framework-bridge/security/dependabot/16 I just saw that it pointed to closure-calculate-chunks as the reason for the dep. I'll get the other PR's merged.
the bump to yarn 4 was intentional. Is there a reason this should stay on yarn 1.x?
There was a problem hiding this comment.
I wondered why it didn't link to all of the lodash alerts 🤷 I don't know of any reason to keep it at Yarn 1, but I just wanted to check because it wasn't mentioned in the PR body.
|
closing as this only bumps the project to yarn 4, closure-calculate-chunks is already at the latest version. |
2 participants
bumps closure-calculate-chunks to fix dependabot warnings for lodash