nivo icon indicating copy to clipboard operation
nivo copied to clipboard

Published 20 hours ago verified publisher icon plouc

chore: upgrade d3-color and d3-scale-chromatic

Open icco opened this issue 9 months ago • 9 comments

Done to match other packages

icco avatar Nov 20 '23 17:11 icco

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nivo ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 3, 2024 10:08pm

vercel[bot] avatar Nov 20 '23 17:11 vercel[bot]

@icco Can you please update pnpm-lock.yaml as well, so tests could show whether updated versions would work?

Looking forward to this shipped as minor to resolve the vulnerabilities.

OleksandrRakovets avatar Jan 03 '24 18:01 OleksandrRakovets

@OleksandrRakovets I haven't used pnpm before, but ran pnpm install and pushed the diff

icco avatar Jan 03 '24 22:01 icco

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 67c30567699b05a03a720b03e636971cbaaadbb8:

Sandbox Source
nivo Configuration

codesandbox-ci[bot] avatar Jan 03 '24 22:01 codesandbox-ci[bot]

Looks good. Can we get this in and make everyone's scans happy again, please? :)

jclarkcisco avatar Jan 29 '24 20:01 jclarkcisco

@plouc any chance of getting this merged?

RicardoAALL avatar Jan 30 '24 23:01 RicardoAALL

The version bumps look OK, however the lock file has 25,722 additions, 34,184 deletions which doesn't seem right.

plouc avatar Jan 30 '24 23:01 plouc

+1 to this! please merge!

sebastianarena avatar Feb 12 '24 17:02 sebastianarena

As a temporary solution and in order not to have to wait for dependency updates, you can use overrides to force a particular version of d3-color to be used in your project.

package.json ... "resolutions": { "d3-color": "3.0.0" } ...

Note: Yarn has "resolutions" and pnpm "overrides" too, and works in a similar way

srubio131 avatar Feb 20 '24 08:02 srubio131

The version bumps look OK, however the lock file has 25,722 additions, 34,184 deletions which doesn't seem right.

@plouc I just ran the default pnpm install command. What's the correct way to generate this lock file?

icco avatar Feb 21 '24 13:02 icco

I pulled down the branch to see why it had that many changes in the lock file and 98% of the changes are whitespace. It looks like the lockfile that is in master uses 4 spaces to indent and this PR instead uses 2 spaces to indent. When I look at the diff using git diff -w it cuts down on the changes quite a bit but there is still stuff like this that shows up:

It's moving the react specifier a LOT of times from 18.2.0 to >= 16.14.0 < 19.0.0:

       react:
-                specifier: 18.2.0
+        specifier: '>= 16.14.0 < 19.0.0'
         version: 18.2.0

It's changing the spacing of a LOT integrity fields:

   /@alloc/[email protected]:
-        resolution:
-            {
-                integrity: sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==,
-            }
+    resolution: {integrity: sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==}

I verified this behavior by pulling down the PR branch, replacing the lock file with the one from master, making sure I'm using [email protected] (as specified in the package.json), and then rerunning make init. I ended up with the same lockfile as this PR. Is there a different version of pnpm that doesn't change the whitespace as much? Or some kind of setting for it?

BruceHubbard avatar Feb 21 '24 16:02 BruceHubbard

@BruceHubbard, thank you for checking, I tried myself and got the same result, not sure why though, but those changes should be fine then, and the specifier field is aligned with what's defined in the packages. So LGTM, and thank you for the contribution @icco!

plouc avatar Feb 22 '24 01:02 plouc