Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump follow-redirects from 1.14.7 to 1.15.2 in /docs #1118

Merged
merged 1 commit into from
Nov 10, 2022
Merged

chore: bump follow-redirects from 1.14.7 to 1.15.2 in /docs #1118

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docs/yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1973,12 +1973,12 @@ __metadata:
linkType: hard

"follow-redirects@npm:^1.0.0":
version: 1.14.7
resolution: "follow-redirects@npm:1.14.7"
version: 1.15.2
resolution: "follow-redirects@npm:1.15.2"
peerDependenciesMeta:
debug:
optional: true
checksum: f6d03e5e30877431065bca0d1b2e3db93949eb799d368a5c07ea8a4b71205f0349a3f8f0191bf13a07c93885522834dca1dc8e527dc99a772c6911fba24edc5f
checksum: faa66059b66358ba65c234c2f2a37fcec029dc22775f35d9ad6abac56003268baf41e55f9ee645957b32c7d9f62baf1f0b906e68267276f54ec4b4c597c2b190
Copy link
Contributor

@Imod7 Imod7 Oct 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick question for when reviewing dependency updates from the dependabot :
When checking a package update from dependabot :

  • I check that the version is aligned with the one published in npm
  • Is there a way to also check that the checksum is correct ? to make sure that we are using the correct dependency and not a malicious one. I tried different things like :

    1. I checked in the npm registry > under versions > 1.15.2 > dist > shasum
      but the hash looks different than the one shown here

    2. I also downloaded the tar file of follow-redirects and then tried to check the hash with the corresponding command or generate it with different algorithms (256, 512, etc) but still it looks different.

    3. Based on this article

      As part of the generation of the yarn.lock file, yarn will compute a hash value for each dependency install based on the contents that were downloaded. Next time you download that dependency, yarn generates the hash again.
      If there is a mismatch between the new value and the value stored in yarn.lock, yarn will throw an error

      So maybe there is no point of checking it if this hash is generated by yarn ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So PR's such as this are not things that need to be overly reviewed. Just reading either the commits, or changelog if its there by dependabot is enough. Dependabot leverages the Github security advisory, so there is no need checking the checksum, etc. It would just be doing the work the Dependabot and Github do for us already.

languageName: node
linkType: hard

Expand Down