-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
I don't think we pin semver for any particular reason, so we can probably just switch it to caret. I'll check the history to confirm next week, to see if we pinned it on purpose at some point. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems good to me!
Also, I just looked through the history and it looks to me like it just got pinned mistakenly as part of #5309 and none of us noticed. I don't see any particular reason it got pinned. I'm OK with this being merged in its current form, but I agree it would be preferable for them to be unpinned. |
For context, see discussion in DefinitelyTyped/DefinitelyTyped#61586
9cc3e72
to
5ae76e9
Compare
@haltman-at Got it, I unrestricted it in 5f91fce |
d7e65c5
to
5f91fce
Compare
5f91fce
to
1c79efe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed that pinning seems accidental. Thanks for making this change!
PR description
semver
to latest7.5.4
.@types/semver
to latest7.5.1
.semver
to address ReDoS in transitive deps.@types/semver
Note that this does not completely remove all dependencies on broken versions of
semver
. It's still being pulled in vianx
and[ethereumjs-block,ethereumjs-vm] > merkle-patricia-tree > levelup@1
.Testing instructions
Documentation
doc-change-required
label to this PR if documentation updates are required.Breaking changes and new features
breaking-change
andnew-feature
labels for the appropriate packages.