Skip to content
GitLab
    • Explore Projects Groups Snippets
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • C create-react-app
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,547
    • Issues 1,547
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 417
    • Merge requests 417
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Meta
  • create-react-app
  • Merge requests
  • !7461

Allow all patch updates

  • Review changes

  • Download
  • Email patches
  • Plain diff
Closed Administrator requested to merge github/fork/hermanbanken/patch-1 into master 5 years ago
  • Overview 4
  • Commits 1
  • Pipelines 0
  • Changes 1

Created by: hermanbanken

Fixating the package dependencies is harmful both to the ecosystem and in the ecosystem of NPM where vulnerabilities are plentiful and widespread. By pinning this library requires manual intervention & publication even while the vulnerable dependencies themselves are patched. It is really in the word: patched indicates that you most often want these changes and that you don't want to skip having them. If you really need to fixate your dependencies then you simply rely on npm ci to install, and you get the same version very single time.

If every library had only patch versions everyone will be happy!

This fixes many current and future security related PRs and issues like https://github.com/facebook/create-react-app/issues/7364.

Activity

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply

There are currently no pipelines.

To run a merge request pipeline, the jobs in the CI/CD configuration file must be configured to run in merge request pipelines.

0 Assignees
None
Assign to
0 Reviewers
None
Request review from
Labels
2
CLA Signed stale
2
CLA Signed stale
    Assign labels
  • Manage project labels

Milestone
No milestone
None
None
Time tracking
No estimate or time spent
Lock merge request
Unlocked
1
1 participant
Administrator
Reference: facebook/create-react-app!7461
Source branch: github/fork/hermanbanken/patch-1

Menu

Explore Projects Groups Snippets