Skip to content

build(deps): bump xml2js from 0.4.19 to 0.5.0 #1408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 11, 2023
Merged

build(deps): bump xml2js from 0.4.19 to 0.5.0 #1408

merged 3 commits into from
Apr 11, 2023

Conversation

dreamorosi
Copy link
Contributor

@dreamorosi dreamorosi commented Apr 11, 2023
edited
Loading

Description of your changes

One of the dependencies in our tree requires an update due to a prototype pollution type of issue. This is an indirect development only dependency, as such it's not part of the Powertools utilities shipped to npm and to our customers.

Regardless of that, we want to keep things as in order as possible and would like to remove it by updating it to a patched version.

Dependabot tried to open a similar PR and do the update, however even though a patch was applied the dependency was not updated and recreating the PR fails. In the meanwhile, the package at the second level of depth of our dependency tree has updated the problematic dependency, so it's reasonable to perform the update of the lock file manually.

The PR will be merged only when the unit tests below are green as well as having a positive integration test result posted below.

Related issues, RFCs

Issue number: N/A

Checklist

  • My changes meet the tenets criteria
  • I have performed a self-review of my own code
  • I have commented my code where necessary, particularly in areas that should be flagged with a TODO, or hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding changes to the examples
  • My changes generate no new warnings
  • The code coverage hasn't decreased
  • I have added tests that prove my change is effective and works
  • New and existing unit tests pass locally and in Github Actions
  • Any dependent changes have been merged and published
  • The PR title follows the conventional commit semantics

Breaking change checklist

Is it a breaking change?: NO

  • I have documented the migration process
  • I have added, implemented necessary warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

@pull-request-size pull-request-size bot added the size/XS PR between 0-9 LOC label Apr 11, 2023
@dreamorosi dreamorosi self-assigned this Apr 11, 2023
@dreamorosi dreamorosi marked this pull request as ready for review April 11, 2023 19:57
@dreamorosi
Copy link
Contributor Author

https://github.com/awslabs/aws-lambda-powertools-typescript/actions/runs/4670323901

@dreamorosi dreamorosi merged commit 6894f9a into main Apr 11, 2023
@dreamorosi dreamorosi deleted the dependabot/npm_and_yarn/xml2js-0.5.0 branch April 11, 2023 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dreamorosi dreamorosi

Labels
size/XS PR between 0-9 LOC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dreamorosi