Html-webpack-plugin: Fix npm dependencies

Try adding [email protected] directly in your package.json as

"toposort": "1.0.3"

1.0.4 works as well as a temporary fix, but the package.json on this repo needs to be fixed! Why is this library auto updating it's dependencies? They should all be fixed!

I agree with you, autoupdate should not be given in package.json for any 3rd party libraries.

toposort is not being a good citizen, and has a breaking change in a patch. locking deps isn't the solution really imo

https://github.com/marcelklehr/toposort/issues/20#issuecomment-333555924

I disagree, locking prevents others from breaking the library, but it looks like a revert went out. I understand the importance of trust, but when thousands of apps rely on html webpack, a quality assurance of versioning I think is important. Please consider fixing dependencies in the future

@evanjmg, I think this should not be closed, the fixing dependencies is a priority request to do.

@damsorian I guess it's up to the contributors and owner to decide, I guess I can leave this open until some one else closes it.

I'm leaving @jantimon decide but I don't think libraries should fix their dependencies

If you want to be safe, then lock your dependencies on your side

Please read: https://github.com/sindresorhus/ama/issues/479

Totally agree with mastilver - maybe topsort could rollback and release the changes as a breaking change according to semver

@marcelklehr what do you think?

First up: I'm very sorry for screwing things up royally. Yes, I did a rollback yesterday. The cause was a buggy PR that didn't get caught by the tests, but ultimately this likely wouldn't have affected this many people if I had followed semver to the point and released the new version as a minor release instead of a patch.

My two cents: Fixing deps is a difficult decision. I don't know the best way to go, there. Some people argue, there's more good than bad updates, others argue, if there is a bad update, you are safe if the deps are fixed. IMO, it depends on how dedicated the maintainer of the library is. If they frequently check their deps for updates, I think it's ok to fix them, if they don't, I'd rather they don't fix them. But then, what is "frequently"?

Thank you everyone for all your inputs!

And thank you @marcelklehr for topsort. Only the ones who never published their work, never published a bad release, it happens to the best of us! :)

So in conclusion, I'm closing this issue. As I said earlier, if you want fixed dependencies, just use a npm-lock.json or yarn.lock

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.