Skip to content

chore(deps): unpin semver #5469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 27, 2025
Merged

chore(deps): unpin semver #5469

merged 2 commits into from
Aug 27, 2025

Conversation

wjhsf
Copy link
Contributor

@wjhsf wjhsf commented Aug 26, 2025
edited
Loading

Running yarn install (before):

yarn install v1.22.22
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^7.6.3"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.1"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^6.3.0"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^7.6.3"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^7.6.3"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^7.7.2"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^5.6.0"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^5.5.0"
warning Resolution field "semver@7.6.0" is incompatible with requested version "semver@^5.3.0"
warning Resolution field "http-cache-semantics@4.1.1" is incompatible with requested version "http-cache-semantics@3.8.1"
success Already up-to-date.

Running yarn install (after):

yarn install v1.22.22
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
warning Resolution field "http-cache-semantics@4.1.1" is incompatible with requested version "http-cache-semantics@3.8.1"
success Already up-to-date.

We originally pinned semver to patch a vulnerability. That was a while ago, and all of our dependencies now used patched versions, so the pin is no longer necessary. And it makes yarn install way less noisy! You can verify that this is safe by running yarn audit and seeing that semver is not listed, or by running yarn why semver and seeing that all installed versions are not vulnerable.

Note that some of our dependencies still try to pull in a version of http-cache-semantics that has a vulnerability, so we can't remove that pin. We can update the pin to the latest version, though. Just for fun.

Details

Does this pull request introduce a breaking change?

  • 😮‍💨 No, it does not introduce a breaking change.
  • 💔 Yes, it does introduce a breaking change.

Does this pull request introduce an observable change?

  • 🤞 No, it does not introduce an observable change.
  • 🔬 Yes, it does include an observable change.

GUS work item

@wjhsf
chore(deps): unpin semver
a453c0e 
all deps have upgraded to address the vulnerability

https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
@wjhsf wjhsf requested a review from a team as a code owner August 26, 2025 20:34
@wjhsf wjhsf merged commit 846dd06 into master Aug 27, 2025
6 checks passed
@wjhsf wjhsf deleted the wjh/unpin branch August 27, 2025 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmsjtu jmsjtu jmsjtu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wjhsf @jmsjtu