Change prismjs to carat range?

Question

Change prismjs to carat range?

karlhorky opened this issue 4 years ago · comments

Maybe going forward, you would consider changing to a carat version range for prismjs?

It would help a lot for projects stuck with older dependencies which have refractor as a transitive dep (especially when things like security vulnerabilities with prismjs happen).

Anyway, thanks for the consideration!

Titus · Answer 1 · Wed Aug 12 2020 18:46:40 GMT+0800 (China Standard Time)

Hi Karl! 👋

We have Prism as a dep for its core. Basically hidden internals. Loosening the range will cause stuff to break. I find preventing everything from exploding more important than older dependencies. Refractor also has a track record of updating fast after Prism updates, and if you use refractor itself with a loose range, you’ll also get Prism updates.

The security vulnerability did not affect anyone using refractor, as we don’t support plugins. If there is an issue, it’s with Dependabot falsely claiming there was one 🤷‍♂️

Karl Horky · Answer 2 · Wed Aug 12 2020 18:55:12 GMT+0800 (China Standard Time)

Ok, understandable. Thanks for the answer :)

Titus · Answer 3 · Wed Aug 12 2020 18:56:28 GMT+0800 (China Standard Time)

No problem, thanks for understanding!