Dependency update#4647
Conversation
|
npm audit report: |
There was a problem hiding this comment.
Let me reiterate my point from #4590 (comment):
Have you read through the changelogs of each update you are proposing carefully?
If not, this is basically just as careless as #4590
Just executing some command is not really a PR, that is just dumping work which needs fixing.
If you have a look at axios-ntlm, they ship their breaking changes in patch releases.
Note
This took me 3.5 hours to review.
Please submit smaller PRs in smaller, thematically linked PRs in the future.
Like this, it is really not managable
| "args-parser": "~1.3.0", | ||
| "axios": "~0.27.0", | ||
| "axios-ntlm": "1.3.0", | ||
| "axios": "~0.28.1", |
There was a problem hiding this comment.
Regarding 0.28.0
Have you looked at if
axios/axios#4624 + axios/axios#4718 make the output different and if this is better/worse
There was a problem hiding this comment.
Not looked, but better stack trace is always good
There was a problem hiding this comment.
It might not look good or require additional work to look decent.
Please have a look if they are displayed properly
| "axios": "~0.27.0", | ||
| "axios-ntlm": "1.3.0", | ||
| "axios": "~0.28.1", | ||
| "axios-ntlm": "1.3.1", |
There was a problem hiding this comment.
Includes Catbuttes/axios-ntlm#15 which bumps axios to 1.X.
This likely breaks something
=> change needs to be done in step with bumping axios once migration is possible.
| "axios-ntlm": "1.3.1", | |
| "axios-ntlm": "1.3.0", |
There was a problem hiding this comment.
axios-ntlm will use its own axios, and we will still use axios 0.X
There was a problem hiding this comment.
This would be still to risky given what this libary does. There might be breaking changes which happened and might make this incompatible:
This is a helper library for NTLM Authentication using the Axios HTTP library on Node. It attaches interceptors to an axios instance to authenticate using NTLM for any resources that offer it.
| "mqtt": "~4.3.7", | ||
| "liquidjs": "^10.10.2", | ||
| "mongodb": "~4.17.2", | ||
| "mqtt": "~4.3.8", |
There was a problem hiding this comment.
4.3.8 is neither documented in the changelog nor has an associated commit tag.
=> what are we migrating to here?
There was a problem hiding this comment.
That was not the point. I was asking what 4.3.8 is.
| "@babel/eslint-parser": "^7.24.1", | ||
| "@babel/preset-env": "^7.24.4", |
There was a problem hiding this comment.
For these dependencies is somewhat hard to audit what has changed in this bump.
How did you audit this?
There was a problem hiding this comment.
These dependencies had MINOR update ranges, so it is automatically downloaded. See: https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept
And we already had installed 7.23.7 in package-lock.json 4 months ago by @louislam in 8d847ab:

There was a problem hiding this comment.
So you are suggesting to just not search for breaking changes here?
Have you audited the changes?
| "qrcode": "~1.5.0", | ||
| "rollup-plugin-visualizer": "^5.6.0", | ||
| "qrcode": "~1.5.3", | ||
| "rollup-plugin-visualizer": "^5.12.0", |
There was a problem hiding this comment.
5.7 adds the emitFile (default: false) option.
We use this plugin to generate a file.
Have you checked that the file is still being generated?
There was a problem hiding this comment.
Have you checked that the file is still being generated?
Automatically bumping this in the package-lock might have been a mistake.
Yes. Only 2 packages were updated in my PR: |
Looking through the changelog is still an important part of updating. |



Tick the checkbox if you understand [x]:
Description
Fix vulnerabilities + update already installed versions in
package.json(ncu --target patch -u- see commit 1c0280f andncu --target semver -u7c07f97)Type of change
Checklist
Screenshots (if any)
Before
After