Skip to content

Bump dependencies and require Node.js 6#14

Merged
sindresorhus merged 1 commit into
kevva:masterfrom
bbbco:master
Oct 10, 2018
Merged

Bump dependencies and require Node.js 6#14
sindresorhus merged 1 commit into
kevva:masterfrom
bbbco:master

Conversation

@bbbco

@bbbco bbbco commented May 21, 2018

Copy link
Copy Markdown
Contributor

Bump download dependency in order to address vulnerability found in the tunnel-agent package downstream. See https://nodesecurity.io/advisories/598

Unfortunately, the download package decided to drop support for Node 4 as well. Considering the state of where we are in the evolution of Node, we might as well drop it here too and enable support for Node 10.

I also bumped the minor version of the package.

Comment thread package.json Outdated
{
"name": "bin-build",
"version": "3.0.0",
"version": "3.1.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You shouldn't touch this; it's the maintainer's job/choice.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let alone, this should be a major bump due to the node.js version requirement bump.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx for the advice. I have reverted that updated, and rebased.

@XhmikosR

Copy link
Copy Markdown

Ping @kevva

…he tunnel-agent package downstream. See https://nodesecurity.io/advisories/598 .

Note: xo 0.21 requires Node 6+ , so we drop support for Node 4 because the new download package doesn't even support it, and add support for Node 10
@rejas

rejas commented Jul 11, 2018

Copy link
Copy Markdown

Download v7.1.0 https://github.com/kevva/download/releases/tag/v7.1.0 got released, maybe you should update the dependencies accordingly?

@rejas

rejas commented Jul 24, 2018

Copy link
Copy Markdown

Ping @kevva :-)

@Chris3773

Copy link
Copy Markdown

Ping @kevva

@sindresorhus sindresorhus changed the title Bump download package to address downstream package vulnerability Bump dependencies and require Node.js 6 Oct 10, 2018
@sindresorhus sindresorhus merged commit ab40a3f into kevva:master Oct 10, 2018
@stof

stof commented Jun 11, 2020

Copy link
Copy Markdown

Any plan to release this ?

Looking at the image-webpack-loader dependency tree, I found out that optipng-bin (and other similar tool packages used by imagemin-* packages) depend on both bin-build and bin-wrapper, but end up installing 2 different versions of download (which has a large tree), because this migration to download 7 has never been released (with bin-wrapper uses version 7).

@1000ch

1000ch commented Oct 16, 2021

Copy link
Copy Markdown

@kevva @sindresorhus could you release the new version with this change? ideally #17 as well.

@kumarrishav

Copy link
Copy Markdown

Hi team,
can we release this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants