Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pin polyfill dependencies in package.json files #44

Conversation

romainmenke
Copy link
Member

@romainmenke romainmenke commented Jun 29, 2024

This doesn't change any of the actual versions of polyfill packages.
Pinning the versions also isn't new, we have lock files.

It only changes how the version was described in package.json files.


This is intended to make it easier to update other packages with commands like npm update.
Running npm update will no longer affect polyfill package versions.


This adds a little bit of hardening against malicious changes in polyfills upstream.

Updating polyfill versions is still fine but should always be done separately from updating other dependencies.

@romainmenke romainmenke requested review from fd and mhassan1 June 29, 2024 11:25
@romainmenke romainmenke enabled auto-merge (squash) June 29, 2024 11:26
@romainmenke romainmenke changed the title pin polyfill dependencies pin polyfill dependencies in package.json files Jun 29, 2024
@romainmenke romainmenke merged commit 1114a59 into main Jun 29, 2024
15 checks passed
@romainmenke romainmenke deleted the pin-polyfill-dependencies--practical-banded-palm-civet-e0cb9155db branch June 29, 2024 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants