Skip to content

Upgrade MarkBind dependencies #950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 9, 2019
Merged

Upgrade MarkBind dependencies #950

merged 3 commits into from
Dec 9, 2019

Conversation

acjh
Copy link
Contributor

@acjh acjh commented Dec 8, 2019

What is the purpose of this pull request? (put "X" next to an item, remove the rest)

• [ ] Documentation update
• [ ] Bug fix
• [ ] New feature
• [ ] Enhancement to an existing feature
• [x] Other, please explain: Dependency update

Part of #461
Follows #788
Follows #948

What is the rationale for this request?

Our dependencies are slowly getting outdated over time. Some of them are in need of upgrading due to security vulnerabilities reported by npm audit. Some already have major version releases — improvements and new bug(fix)s of course — that still appear to be compatible with MarkBind.

What changes did you make? (Give an overview)

Used npm 6.13.2 (current latest) to:

  1. upgrade vulnerable dependencies reported by npm audit.
    • first commit contains changes in package-lock.json only.
    • changes in package.json included in next two commits.
      • eslint-plugin-lodash: 5.1.0 → ^5.1.1^6.0.0
      • lodash: 4.17.11 → ^4.17.12 (^4.17.15)
  2. update 24/38 dependencies — 8 major versions, 16 minor/patch versions
  3. update 9/9 dev dependencies — 7 major versions, 2 minor versions

Provide some example code that this change will affect:

For devs:

- .map(page => Object.assign({ headings: page.headings }, page.frontMatter)),
+ .map(page => ({ headings: page.headings, ...page.frontMatter })),
- const combinedBases = Object.assign({}, childrenBase, foundBase);
+ const combinedBases = { ...childrenBase, ...foundBase };

For users: none.

Is there anything you'd like reviewers to focus on?

Do the changes required due to eslint updates make sense?

Consider releasing this PR as its own minor version so that it may be easier to check if unintended changes for projects that use MarkBind occur due to other PRs or dependencies updated in this PR.

Testing instructions:

  • Check that npm i using npm 6.12.1 (packaged with Node.js LTS version 12.13.1) or higher doesn't modify package-lock.json.
  • Check the output diff on an existing project that uses MarkBind; steps detailed under Testing instructions in Patch htmlparser2 instead of rely on MarkBind fork #948.

acjh added 3 commits December 8, 2019 16:19
@acjh
Upgrade vulnerable deps reported by npm audit
95383ee 
package.json:
* eslint-plugin-lodash: 5.1.0 -> 5.1.1
* lodash: 4.17.11 -> 4.17.12

package-lock.json:
* eslint-utils: 1.3.1 -> 1.4.3
* handlebars: 4.1.2 -> 4.5.3
* js-yml: 3.13.0 -> 3.13.1
* lodash.merge: 4.6.0 -> 4.6.2
* mixin-deep: 1.3.1 -> 1.3.2
* set-value: 2.0.0 -> 2.0.1
* union-value: 1.0.0 -> 1.0.1
@acjh
Update minor version of deps with no output diff
f6bca75
@acjh
Update major version of deps with no output diff
65d027b
yamgent
yamgent approved these changes Dec 9, 2019
View reviewed changes
Copy link
Member

@yamgent yamgent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the changes required due to eslint updates make sense?

The updates are pretty reasonable.

@yamgent yamgent added this to the v2.6.1 milestone Dec 9, 2019
@yamgent yamgent merged commit 66ac17a into MarkBind:master Dec 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yamgent yamgent yamgent approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.7.0
Development

Successfully merging this pull request may close these issues.
2 participants
@acjh @yamgent