Skip to content

build(deps-dev): Bump lerna from 4.0.0 to 6.0.1#287

Closed
dependabot[bot] wants to merge 1 commit intodependabot_developfrom
dependabot/npm_and_yarn/dependabot_develop/lerna-6.0.1
Closed

build(deps-dev): Bump lerna from 4.0.0 to 6.0.1#287
dependabot[bot] wants to merge 1 commit intodependabot_developfrom
dependabot/npm_and_yarn/dependabot_develop/lerna-6.0.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 1, 2022
edited
Loading

Bumps lerna from 4.0.0 to 6.0.1.

Release notes

Sourced from lerna's releases.

v6.0.1

6.0.1 (2022-10-14)

Bug Fixes

  • run: allow for loading of env files to be skipped (#3375) (5dbd904)

v6.0.0

6.0.0 (2022-10-12)

Super fast, modern task-runner implementation for lerna run

As of version 6.0.0, Lerna will now delegate the implementation details of the lerna run command to the super fast, modern task-runner (powered by Nx) by default.

If for some reason you wish to opt in to the legacy task-runner implementation details (powered by p-map and p-queue), you can do so by setting "useNx": false in your lerna.json. (Please let us know via a Github issue if you feel the need to do that, however, as in general the new task-runner should just work how you expect it to as a lerna user).

Interactive configurtion for lerna run caching and task pipelines via the new lerna add-caching command

When using the modern task-runner implementation described above, the way to get the most out of it is to tell it about the outputs of your various scripts, and also any relationships that exist between them (such as needing to run the build script before the test, for example).

Simply run lerna add-caching and follow the instructions in order to generate all the relevant configuration for your workspace.

You can learn more about the configuration it generates here: https://lerna.js.org/docs/concepts/task-pipeline-configuration

Automatic loading of .env files in lerna run with the new task-runner implementation

By default the modern task runner powered by Nx will automatically load .env files for you. You can set --load-env-files to false if you want to disable this behavior for any reason.

For more details about what .env files will be loaded by default please see: https://nx.dev/recipes/environment-variables/define-environment-variables

Obselete options in lerna run with the new task-runner implementation

There are certain legacy options for lerna run which are no longer applicable to the modern task-runner. Please see full details about those flags, and the reason behind their obselence, here:

https://lerna.js.org/docs/lerna6-obsolete-options

New lerna repair command

When configuration changes over time as new versions of a tool are published it can be tricky to keep up with the changes and sometimes it's possible to miss out on optimizations as a result.

When you run the new command lerna repair, lerna will execute a serious of code migrations/codemods which update your workspace to the latest and greatest best practices for workspace configuration.

The actual codemods which run will be added to over time, but for now one you might see run on your workspace is that it will remove any explicit "useNx": true references from lerna.json files, because that is no longer necessary and it's cleaner not to have it.

We are really excited about this feature and how we can use it to help users keep their workspaces up to date.

... (truncated)

Changelog

Sourced from lerna's changelog.

6.0.1 (2022-10-14)

Bug Fixes

  • run: allow for loading of env files to be skipped (#3375) (5dbd904)

6.0.0 (2022-10-12)

Note: Version bump only for package lerna

6.0.0-alpha.2 (2022-10-12)

Bug Fixes

6.0.0-alpha.1 (2022-10-09)

6.0.0-alpha.0 (2022-10-07)

Note: Version bump only for package lerna

5.6.2 (2022-10-09)

Note: Version bump only for package lerna

5.6.1 (2022-09-30)

Bug Fixes

  • add-caching: ensure lerna.json is configured automatically (9677cda)

5.6.0 (2022-09-29)

Features

5.5.4 (2022-09-28)

Note: Version bump only for package lerna

5.5.3 (2022-09-28)

Note: Version bump only for package lerna

5.5.2 (2022-09-20)

Note: Version bump only for package lerna

... (truncated)

Commits
  • 4fcefff chore(release): v6.0.1
  • 5dbd904 fix(run): allow for loading of env files to be skipped (#3375)
  • 6fa5951 chore(release): v6.0.0
  • 154b939 chore(release): v6.0.0-alpha.2
  • 130f490 fix(run): update docs for v6 (#3366)
  • 8a1660e chore(release): v6.0.0-alpha.1
  • a926c6a Merge branch 'main' into next
  • 04f85a3 chore(release): v5.6.2
  • 84597c5 chore(release): v6.0.0-alpha.0
  • 8991812 feat(run)!: legacy task runner implementations no longer used by default (#3355)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by jameshenry, a new releaser for lerna since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps-dev): Bump lerna from 4.0.0 to 6.0.1
397f976 
Bumps [lerna](https://github.com/lerna/lerna/tree/HEAD/core/lerna) from 4.0.0 to 6.0.1.
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/core/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/v6.0.1/core/lerna)

---
updated-dependencies:
- dependency-name: lerna
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from aleksaToljic as a code owner November 1, 2022 11:20
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 1, 2022
@dependabot dependabot bot mentioned this pull request Nov 1, 2022
Closed
@socket-security
Copy link

socket-security bot commented Nov 1, 2022

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Location
nx@15.0.4 (added) postinstall package.json
😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package Bin script Location
@zkochan/js-yaml@0.0.6 (added) js-yaml package.json via nx@15.0.4
js-yaml@3.14.1 (added) js-yaml package.json
js-yaml@4.1.0 (added) js-yaml package.json via eslint@8.26.0
Pull request report summary
Issue Status
Install scripts ⚠️ 1 issue
Native code ✅ 0 issues
Bin script confusion ⚠️ 3 issues
Bin script shell injection ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

  • @SocketSecurity ignore nx@15.0.4
  • @SocketSecurity ignore @zkochan/js-yaml@0.0.6
  • @SocketSecurity ignore js-yaml@3.14.1
  • @SocketSecurity ignore js-yaml@4.1.0

⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.

Powered by socket.dev

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 1, 2022

Superseded by #319.

@dependabot dependabot bot closed this Dec 1, 2022
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/dependabot_develop/lerna-6.0.1 branch December 1, 2022 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aleksaToljic aleksaToljic Awaiting requested review from aleksaToljic aleksaToljic is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

Comments