Thank you for maintaining this package - I use it in my own tool.
I am trying upgrade some packages at the moment to remove dependencies on certain versions of minimatch. While doing that I noticed that all version 6 releases of this package depend upon version 5.2.2 of this package.
I thought perhaps this was some backwards-compatibility thing - or perhaps a mistake? I couldn't find any imports of the v5 config.
$ npm view eslint-config-oclif@6 dependencies | grep eslint-config-oclif | head -n 10
eslint-config-oclif@6.0.0 {
'eslint-config-oclif': '^5.2.2',
eslint-config-oclif@6.0.1 {
'eslint-config-oclif': '^5.2.2',
eslint-config-oclif@6.0.2 {
'eslint-config-oclif': '^5.2.2',
eslint-config-oclif@6.0.3 {
'eslint-config-oclif': '^5.2.2',
eslint-config-oclif@6.0.4 {
'eslint-config-oclif': '^5.2.2',Removing the unused self-dependency drops the nested v5 install and its vulnerable transitive deps (including old minimatch), so npm audit stops flagging those issues.
Thank you for maintaining this package - I use it in my own tool.
I am trying upgrade some packages at the moment to remove dependencies on certain versions of minimatch. While doing that I noticed that all version 6 releases of this package depend upon version 5.2.2 of this package.
I thought perhaps this was some backwards-compatibility thing - or perhaps a mistake? I couldn't find any imports of the v5 config.
Removing the unused self-dependency drops the nested v5 install and its vulnerable transitive deps (including old minimatch), so npm audit stops flagging those issues.