You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I notice that the dependencies for standard-version are all fixed (no ^ or ~ for example). This makes it impossible to get the version bump in conventional-changelog, which fixes a CVE.
Could the standard-version dependencies be updated to use something like ^ so that upgrades and de-duplication of transitive dependencies is possible? If you object to this approach, could we at least get a new release of standard-version with conventional-changelog version bumped?
The text was updated successfully, but these errors were encountered:
We've moved to allow semver ranges on a number of dependencies via #615 – we'll be working to unpin more as we phase our support of NodeJS@8 (#612, #618).
8.0.1 was published ~6 hours ago which includes updates to conventional-changelog (#592).
I notice that the dependencies for
standard-version
are all fixed (no^
or~
for example). This makes it impossible to get the version bump inconventional-changelog
, which fixes a CVE.Could the
standard-version
dependencies be updated to use something like^
so that upgrades and de-duplication of transitive dependencies is possible? If you object to this approach, could we at least get a new release ofstandard-version
withconventional-changelog
version bumped?The text was updated successfully, but these errors were encountered: