Conversation
jsumners
left a comment
jsumners
left a comment
There was a problem hiding this comment.
The caret range qualifier covers this.
|
it allows updating, but it won't force it if an old version is already locked. i just went back and reinstalled this everywhere we use this package to update the versions in our lockfiles as you are suggesting is possible, but I thought it might be best to explicitly issue a new version that will force these updates for consumers given this version patches a critical vulnerability. |
|
I agree with @kuritz on this, it's more reliable this way |
|
feel free to close it, just trying to help in case other consumers don't get CVE alerts and know how to update transitive deps |
|
We typically do not merge such updates. It causes way more churn than affected users simply updating their dependencies. It's literally a useless application of time. |
|
@jsumners can't be too prudent with security updates |
|
@kibertoad maybe. You're not going to like my current thinking on such things 🤣 https://bsky.app/profile/james.sumners.info/post/3miygkad2ec2n |
|
@jsumners there are some good points in that post, I don't see a contradiction. here process worked as intended, community put in the effort |
3 participants
Sets minimum version of
fast-jwtto6.2.0.Closes: #401
Checklist
npm run test && npm run benchmark --if-presentand the Code of conduct