[GitHub] [daffodil-vscode] stevedlawrence commented on a diff in pull request #187: Dependabot updates

Fri, 17 Jun 2022 11:53:36 -0700 


stevedlawrence commented on code in PR #187:
URL: https://github.com/apache/daffodil-vscode/pull/187#discussion_r900431220


##########
package.json:
##########
@@ -62,17 +62,17 @@
   "devDependencies": {
     "@types/glob": "^7.1.3",
     "@types/mocha": "^8.2.2",
-    "@types/node": "^14.14.37",
+    "@types/node": "^18.0.0",
     "@types/vscode": "^1.55.0",
     "glob": "7.1.6",
-    "mocha": "8.3.2",
+    "mocha": "10.0.0",
     "prettier": "2.3.2",
     "ts-loader": "8.1.0",
     "typescript": "4.3.5",
-    "vsce": "1.87.1",
+    "vsce": "2.9.1",
     "vscode-debugadapter-testsupport": "1.46.0",
-    "webpack": "4.46.0",
-    "webpack-cli": "3.3.12"
+    "webpack": "5.40.0",
+    "webpack-cli": "4.10.0"
   },

Review Comment:
   Did you confirm that these new dev dependencies, and their transitive 
dependencies, are still ALv2 compliant according to ASF?
   
   Since they are dev dependencies I'd assume that means no part of them ends 
up in `extension.js` or the .vsix file (is this true?) and so we don't need to 
update the `bin.{LICNESE,NOTICE} files, but they do still need to be ALv2 
compatible since they are required to build.
   
   Just so it's clear to everyone:
   * packages listed in `dependencies` and their transitive dependencies *must* 
be listed in `bin.LICENSE` or `bin.NOTICE`, with the assumption they end up in 
the vsix file
   * packages listed in "devDependencies" and their transitive dependencies 
*should not* be listed anywhere, which the assumptino that they don't end up in 
the vsix file
   * all packages need to be ALv2 compatible
   
   I think we do this correctly, but I'm not positive. Is there a way to list 
the LICENSE/NOTICE information of all dependencies and their transitives that 
*aren't* devDependencies?



##########
.github/dependabot.yml:
##########
@@ -28,3 +28,6 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+    ignore:
+      - dependency-name: "typescript"
+      - dependency-name: "ts-loader"

Review Comment:
   Should we create an issue to update these so we don't forget? I don't think 
it's critical that these be updated so it'd be good to have a reminder 
somewhere.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to