From 6e902f6928ae4d63c3fc08699932c839e5c76e23 Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Fri, 1 Jul 2022 16:07:58 +0100 Subject: [PATCH] fix(dependencies): unpin dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently direct dependencies are pinned to specific patch versions, as a result, projects that use this repository cannot respond to transitive dependency updates, for example #210 updates lodash to address CVE‑2020-8203, however other projects need to wait for Caporal to do this and update after a new version has been published, and cannot be more proactive to address vulnerabilities in transitive dependencies. --- package.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index f6e50f4..17f6517 100644 --- a/package.json +++ b/package.json @@ -116,17 +116,17 @@ }, "dependencies": { "@types/glob": "^7.1.1", - "@types/lodash": "4.14.149", + "@types/lodash": "^4.14.149", "@types/node": "13.9.3", - "@types/table": "5.0.0", + "@types/table": "^5.0.0", "@types/tabtab": "^3.0.1", "@types/wrap-ansi": "^3.0.0", - "chalk": "3.0.0", + "chalk": "^3.0.0", "glob": "^7.1.6", - "lodash": "4.17.21", - "table": "5.4.6", + "lodash": "^4.17.21", + "table": "^5.4.6", "tabtab": "^3.0.2", - "winston": "3.2.1", + "winston": "^3.2.1", "wrap-ansi": "^6.2.0" }, "config": {