Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: upgrade+update #5955

Closed
wants to merge 1 commit into from
Closed

deps: upgrade+update #5955

wants to merge 1 commit into from

Conversation

paul-marechal
Copy link
Member

@paul-marechal paul-marechal commented Aug 15, 2019
edited
Loading

What it does

Upgrade most of our dependencies, and bump some of them in order to bring yarn audit from 16k issues down to 0.

This is roughly equivalent to deleting yarn.lock and generating a fresh one. To whomever concerned by this: Clients were never dependent on our lock file: they always pull the most recent versions based on their own version ranges and their own lock files.

Most conflicts were typing issues, and some vulnerabilities required me to bump some dependencies.

The good thing is that thanks to this, we'll keep developing with up-to-date dependencies, and we can affirm that according to yarn audit, the framework isn't distributed with widely-spread vulnerabilities.

Fixes #5952

How to test

yarn audit should report 0 issues.
yarn build and yarn test should both complete successfully.
@theia/example-* applications should still run.

Review checklist

Reminder for reviewers

@paul-marechal paul-marechal requested a review from a team as a code owner August 15, 2019 20:37
@akosyakov
Copy link
Member

Please wait with it till #5901 is merged. It will change our dependencies.

@akosyakov akosyakov added the dependencies pull requests that update a dependency file label Aug 16, 2019
@paul-marechal
deps: upgrade+update
edba54a 
`yarn audit` reports 16k issues with our packages. This commit brings it
down to zero. We should keep running `yarn upgrade` in the future, in
order to develop against the same dependencies as our clients.

Since `sinon` was bumped, some old behaviour seems to have changed.
Fixed the parts of the tests where the failures occured.

Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
@akosyakov
Copy link
Member

@marechal-p It would be fine now to update yarn lock file.

@paul-marechal
Copy link
Member Author

paul-marechal commented Sep 13, 2019
edited
Loading

@akosyakov thanks for the reminder. I tried rebasing, but for some reason I got to a point where I would have a build error due to some typing, but in the IDE types would be correct (no error). I will see if I can get back to it later.

@paul-marechal
Copy link
Member Author

Closing in favor of #6255

@paul-marechal paul-marechal deleted the mp/yarn-audit branch February 6, 2020 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosyakov akosyakov akosyakov left review comments

Assignees
No one assigned
Labels
dependencies pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

upgrade dependencies
2 participants
@paul-marechal @akosyakov