-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "update make-fetch-happen to 11.0.3 (#2796)" #2849
Conversation
9712b7d
to
dc1d443
Compare
This seems reasonable given our "engines" claim (which is different to our CI versions, which isn't great). But doesn't this take us back to a version with a security vulnerability tag? Comments @benjaminpjones, @lukekarrys, @cclauss? |
@rvagg It does, so currently addressing that would mean replacing the library. It's only a single call for the installation so shouldn't bee to hairy - a false start with FWIW the question of a backport was raised in npm/make-fetch-happen#243 and it doesn't seem to be happening under upstream, at least. |
or we could keep it in house with https://github.com/nodejs/undici perhaps? |
Hm, I'd be curious to hear maintainer's take on this one:
So I guess:
|
A mild dilemma, but IMO we should ditch I think |
Two things from my perspective:
|
One more point on Anything wider than what However as #2770 shows |
Really appreciate the follow-up here @lukekarrys!
I'd remove the quotes. yarn 1.x is still widely used (I'd guess even more so among projects where this include-path is relevant) and will handle this as a fatal error by default:
Other package managers or yarn versions may also, depending on configuration.
My conclusion is that increasing More on |
Now that #2770 has landed, we should figure out how to have multiple release lines. I plan on making a PR setting up tooling similar to how the npm CLI does it which supports multiple release lines. Once that is complete, this should land on v9 as 9.4.1 and v10 will be the breaking engines changes. |
This reverts commit 02480f6, thereby rolling back dependency make-fetch-happen from ^11.0.3 to ^10.0.3. The upgrade is breaking for node-fetch users as it has transitive dependencies with syntax incompatible with supported Node.js versions. Related: - nodejs#2770 - nodejs#2837 - nodejs#2816 - nodejs#2848 - nodejs#2827 - nodejs#2796
dc1d443
to
dd50c2c
Compare
Rebased on |
With this commit, my changes from 5df2b72 are no longer mandatory. They can be kept (probably should be), but the root cause for making them is removed. |
I am not qualified to review this. Is there a Node.js contributor that can? |
Apologies for being slow on reviewing this. This should definitely be merged, but I would like to wait until there is a I will be creating that branch which will essentially be the current |
For historical reasons this library was picked due to its use in npm which allows deduping and also because its proxy support over node-fetch. Unsure where npm 10 lies with the issues reported. |
I just landed #2917 on the |
This reverts commit 02480f6, as it introduced breaking changes blocking a release of node-gyp 9 from a clean
main
.make-fetch-happen
would have to be updated to a (hypothetical future) v10.x fix, or replaced with something else.Checklist
npm install && npm test
passesDescription of change
This reverts commit 02480f6, thereby rolling back dependency
make-fetch-happen
from^11.0.3
to^10.0.3
.The upgrade is breaking for node-fetch users as it has transitive
dependencies with syntax incompatible with supported Node.js versions.
Related:
engines.node
to^14.17.0 || ^16.13.0 || >=18.0.0
#2827