Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
David tells dependency is insecure. Is this a bug, or am I wrong?
See original GitHub issueI have an issue with one of my repos. The badge shows insecure dependencies and this belongs to jQuery, as the detail page of david told me (and as this is the only dependency too).
https://david-dm.org/eisbehr-/jquery.lazy
The plugin depends on any version greater or equal than 1.7.2. This is simply to keep the range as wide as possible, even for very old projects, like some IE stuff some companies has still live.
My question is simply, why is my dependency unsecure? On a new install, the most common version 3.2.1 would be picked, what is secure. In my eyes this is a wrong message / badge here. I don’t depend on 1.7.2 directly, I depend on everything above too. On a normal install the latest version would be picked.
Can someone tell me the problem?
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
If
jQuerywere a peer dependency of your module, then users would have to install it independently (it would not be automatically installed when your module is installed). Because David-dm does not check that peer dependencies are up to date, your badge would go green.I realise this is a tradeoff because it changes the contract with your users. But perhaps a peer dependency is a better description of the relationship with
jQuery?Would a peer dependency be an option?