Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not fix the deps version #11

Closed
Mister-Hope opened this issue May 26, 2021 · 8 comments
Closed

Do not fix the deps version #11

Mister-Hope opened this issue May 26, 2021 · 8 comments

Comments

@Mister-Hope
Copy link

Mister-Hope commented May 26, 2021

It's almost unpossiable for a library like lodash to make breaking changes in minor or patch versions, so why are you guys fixing the version?

If you set the version using ^ then we can fix the security problems by upgrading deps tree instead of waiting you to publish new versions and bear the security alert every day.

@stevenjoezhang
Copy link
Member

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2
lodash is removed in the latest version of @next-theme/utils.

@Mister-Hope
Copy link
Author

Mister-Hope commented Jul 13, 2021

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2

Appreciate for your answer, but your answer DO NOT HELP AT ALL. Your answer make me have new questions:

  1. Since there are a new repo under theme-next/next-util, is this repo deprecate and we should use next-util? If so, why don't you mention it in readme, archive this repo or mark the package deprecate on npm? Either of these three will helps, but you did nothing.

    Also I see you are still maintaining this project.

lodash is removed in the latest version of @next-theme/utils.

  1. Is it? Do you check whether you publish new version or not? The latest is still in v1.2.0 which publish 6 month ago, and the alert was triggered in May , and you merge this commit in 3161bf3, which in May 27. And I am still not finding any newer versions.

@Mister-Hope
Copy link
Author

Mister-Hope commented Jul 13, 2021

I just have a carefull look at the two org next-theme and theme-next.

Are they actually the same? The the utils repo seems to be the same.

Why should a project be posted on different repo on different orgs, with different package name while not published sync and metioned nothing in readme?

@PaperStrike
Copy link
Member

Try digging out the answers on your own. next-theme/hexo-theme-next#4.

@Mister-Hope
Copy link
Author

Mister-Hope commented Jul 14, 2021

Try digging out the answers on your own. next-theme/hexo-theme-next#4.

This answer is even not in this repo, I DO NOT think I should open every repo undert the 2 orgs and have a look at every issue and discusstion. I searched this repo, and I think this should be fine.

And:

  1. Both repo is still having activities, so I don't think the team can not place something on the readme
  2. Your link do help explain why there are two orgs, but it's more confusing here as the newest @next-theme/utils is not getting newer versions but the old next-utils does.

I apreciate for your help and answer, but it's still not helping with this issse. The lodash security problem is still not yet fixed.

Both of you are answering something related and do have some help explaining the issue, but no help with fixing.

This package is on my toolchain, which means I do not care how this issue happens, while I only care about when can this issue been fixed. I am opening this issue politely and provided the necessay infomation. but still yet bothering for 2 month and receiving some none help replys. That's disappointing.

( I know this is an open source, but at least we should all agree it's not good to behave like this)

@Mister-Hope
Copy link
Author

I do not think this fix is hard, just call someone and publish @next-theme/utils, and it should be all fine. I really don't think this issue need to be hang for 2 month

@PaperStrike
Copy link
Member

Both repo is still having activities

theme-next/next-util isn't having activities. Moreover, @theme-next hasn't got any commit for more than 1 year.

I don't think the team can not place something on the readme.

If "the team" means @next-theme, then we can. But I don't think there's a need to update every repo's readme, as one should know which to use by a simple look on the repos' recent commits.

it's more confusing here as the newest @next-theme/utils is not getting newer versions but the old next-utils does.

Where did you find the old repo getting newer versions? Only by the version number?

I do not care how this issue happens, while I only care about when can this issue been fixed.

You just asked "Are they" and "Why" in your last reply. Then my last reply links to the answer. For the "when" problem, no one knows. Few of us would like to ask for ETA.

You know this is an open source, so if there's anything making you disappointed, you always have a choice to publish your npm package. We are not forcing you to use this.

@Mister-Hope
Copy link
Author

Mister-Hope commented Jul 14, 2021

Fine, do any thing you like. I will swallow my aggressive words. But do you acutally think the first reply is helpful?

We use renovate bot to keep the dependencies up to date, and the fixed version is controlled by the bot: theme-next/next-util#2

What's the link for? What do he want to express

lodash is removed in the latest version of @next-theme/utils.

Is it true?

For the "when" problem, no one knows. Few of us would like to ask for ETA.

Joking. Do you leave the security issues in your work projects? ETA for security should be definitely as soon as possible..


I have a few open source projects like waline and vuepress-theme-hope

Both of them have hundreds of stars, I will surely blame myself, if I am posting some wrong answers which is not helpful in my repo issues. And I will also blame myself if I am not helping and waste others time when I could . Also I will surely fix any security problems as soon as possible.

Anyway, F word.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants