Node-postgres: Use of semver package in pg module

Created on 12 Mar 2020  路  4Comments  路  Source: brianc/node-postgres

Current version of semver is 7.1.3. The package.json of pg module depends on semver version 4.3.2 . Is this intentional?

A license field update was carried out in the package semver after 4.3.2 .
https://github.com/npm/node-semver/commit/70d7835868fea1d43f625098cc947b48e7f87e9f

Users of pg module misses out on this critical update in semver package.

picture jilvin

All 4 comments

Aren鈥檛 the BSD and ISC licenses equivalent in permissions? Not sure how that鈥檚 a critical update.

charmander picture charmander on 12 Mar 2020
👍1

IANAL

The issue was that license mentioned in the package.json was BSD and not BSD 3 Clause(new). The original BSD has an advertising clause. The commit referred updated both license and the licence field within package.json .

jilvin picture jilvin on 13 Mar 2020

spdx-expression-parse also chokes on the string "BSD" because that's not a valid identifier. See https://github.com/jslicense/spdx-expression-parse.js/issues/11

If you use LicenseWebpackPlugin and use spdx-satisfies as suggested in their documentation pg's dependency on this old version of semver will cause the plugin to choke.

kwasimensah picture kwasimensah on 30 Apr 2020
👍1

This code is so old it can probably be safely removed, honestly. It was added when I was adding breaking changes to pg-native relatively frequently. I'll see about just deleting it & managing it better w/ an optionalDependencies field in package.json or something.

brianc picture brianc on 8 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wrod7 picture wrod7  路  4Comments
chrisjensen picture chrisjensen  路  4Comments
LukeSchlangen picture LukeSchlangen  路  4Comments
tonylukasavage picture tonylukasavage  路  4Comments
KeynesYouDigIt picture KeynesYouDigIt  路  3Comments