semantic-release
Dependencies upgrade
Hi,
It would be kind if someone can merge dependencies update related PR in order to clear some vulnerabilities and apply some fixes.
Regards,
@fidgi I've not seen any movement on this in months... so I've been using my own fork of @semantic-release/git.
You're more than welcome to use it, I've updated with security patches and all that. And also using code from PR #264.
https://github.com/englut/semantic-release-git
You can install the git repo directly as an npm package via:
npm install [email protected]:englut/semantic-release-git.git
If there's enough demand, I will tag stable versions. But for now, I'm not seeing any new needed features, and since it's just me using it, no biggie. Hope this helps!
we do our best to our best to keep official plugins up to date on dependencies, but are a small team of volunteers, so we have some areas that have fallen behind.
with the transition to esm that has been happening in the javascript community, some of our dependencies have become blocked by the need to convert our projects to esm. we completed that conversion of our core and core plugins a while ago, but we still have some official plugins, like this one that haven't completed that effort yet. we just released an update related to this effort for our exec plugin today. we've requested help from our community to get the remaining plugins converted, so if you would like to help with this effort, please feel free to send a PR following the examples of conversions that have happened for our other plugins.
also, keep in mind that we officially recommend against using this plugin if you can avoid it. you could avoid the concern you raise completely by not using the plugin.
