Move to a semver range for path-to-regexp dependency to address future Dependabot alerts
#39217
Unanswered
hashtagchris
asked this question in
Ideas / Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
path-to-regexphas been patched in the past, and may be patched again the future. Could Gatsby switch to a semver range so Dependabot security alerts can be resolved immediately following apath-to-regexprelease, without waiting for a new Gatsby release?Was the semver range caret left off because a <1.0.0 version is used? If so, could
^1.9.0or^8.2.0be used instead?gatsby/packages/gatsby/package.json
Line 139 in aa403a4
Or was the caret left off because express 4.x doesn't use a caret (ref), and gatsby has a dependency on
express? Based on tags,path-to-regexp@0.1.xis reserved for express v4 compatibility.Related
Beta Was this translation helpful? Give feedback.
All reactions