Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unpin dependencies #2026

Open
richardsimko opened this issue Mar 29, 2025 · 3 comments · May be fixed by #2028
Open

Unpin dependencies #2026

richardsimko opened this issue Mar 29, 2025 · 3 comments · May be fixed by #2028
Labels
Type: Bug Confirmed bug

Comments

@richardsimko
Copy link

richardsimko commented Mar 29, 2025
edited
Loading

Describe the Bug

I tried to find some previous discussions about why the dependencies are pinned but could only find this unanswered question: #921

It's generally considered bad practice to pin dependencies in libraries, pinning dependencies should be done by the consumer. There are a few reasons for this:

  1. Duplication (As mentioned in the thread), multiple different minor or patch versions of a transitive dependency might (will) need to be installed, slowing down install times
  2. Security updates should be decoupled from dependency releases. See for example react-email depends on a vulnerable version of esbuild #1962, NPM dependency vulnerability (moderate)—react-email >=3.0.4 depends on vulnerable versions of next #1856, react-email depends on vulnerable version of next (15.1.2) #2025, chore(deps): bump next from 15.0.4 to 15.2.3 in /examples/resend #1966 and several others. In our project we currently have 3 open Dependabot alerts, all are because of react-email and all could had been fixed with an updated lockfile if the dependencies of react-email were more permissive (Minor or patch version updates). Instead we have to wait for react-email to update these.

Looking through our list of dependencies (About 150) react-email is one of just 3 that have pinned dependencies.

Which package is affected (leave empty if unsure)

react-email

Link to the code that reproduces this issue

N/A

To Reproduce

N/A

Expected Behavior

Unpinned dependencies with ^ (Or at least ~) so that consumers can update minor and patch versions while keeping devDependencies pinned.

What's your node version? (if relevant)

No response
@richardsimko richardsimko added the Type: Bug Confirmed bug label Mar 29, 2025
@CHC383
Copy link

CHC383 commented Mar 29, 2025

A few more examples of prettier version conflicts that lead to consumer side's failure

@CHC383 CHC383 linked a pull request Mar 29, 2025 that will close this issue
Open
@CHC383
Copy link

CHC383 commented Mar 29, 2025

BTW even the most recent react-email v4 release (a month after the last v3 release) didn't include the merged security fix #1904 and #1949, so I think it is better to unpin the dependencies to decouple the the security updates from the release, and relieve the maintenance burden from the react-email team.

@CHC383 CHC383 mentioned this issue Mar 29, 2025
Open
@gabrielmfern
Copy link
Collaborator

Good points yeah, I think we'll do this. Will discuss with the team

@CHC383 CHC383 mentioned this issue Mar 31, 2025
Open
@dinmukhamedm dinmukhamedm mentioned this issue Apr 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Confirmed bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): use caret range for package dependencies CHC383/react-email
3 participants
@richardsimko @CHC383 @gabrielmfern