Can we still maintain a 2.x branch? #3204
Comments
|
You can always create a fork I suppose. This is how the things are supposed to work in a perfect open-source minded world (fork fork fork) - strange they never do in the reality :). |
|
It's actually not so. There are tons of projects depending on |
|
In case I got you wrong, I'm willing to help if the suggestion is acceptable and owners are to help updating npm packages, not to tell me to publish my own |
|
You are ignoring the fact that there's nearly zero efforts in shallow copying such fork back here and then releasing it under "the official" credential (so user don't even notice anything). But, you know... I just suspect that in:
... by we you mean ... who exactly? And when things will go wrong and users come here complaining about issues who would be "responsible for response"? Maintenance is the main problem (obviously changing one or two characters in
Neither I see any problem with this. If they do care then they'll switch. If they don't then it's EPTH. "Reality" does not mean putting all burden on developers. |
No. Of course I'm aware of modification is dead simple in this case. The key point is that whether we can continue to publish to npm in the name of
I deliberately used "we", just to avoid implying it's the responsibility of any specific person. "We" can be project owners, myself, or anybody in the Less community who is willing to help.
Am I missing something? How does this come from? I'm not "assigning" anyone to take the responsibility. If we share common opinion on the request, we can make the project itself better, rather than splitting into different forks which confuses users. How would forking and releasing a modified version silently be better than discussing this with project owners first? |
Which breaking changes? |
|
As to the general question of doing a 2.x future release, if someone wants to maintain that, I'd have nothing against that. It's more publishing / maintenance work, so I'd love if someone wants to be added as an NPM publisher. I'm still waiting for someone else to take on that role. |
|
We are having the same issue, but with v1. We are (unfortunately) still using v1.6.3 which has a (potential) security vulnerability, which is now showing up quite prominent with the new npm client (see npm audit). Also here, an update within the |
|
@matz3 There haven't been that many backwards-incompatible changes over the years. Have you tried upgrading? |
|
Less doesn't really have enough maintainers at the moment to properly maintain a current release, let alone two separate major releases, so I think this issue should be closed as something we can't really do without more contributors. |
|
Closing as won't fix. |
2 → 3 introduced breaking changes and some people may still have to stuck with 2.x for some time. Can we still maintain a
2.xbranch and release more 2.x versions to fix security vulnerabilities inside dependencies (by just updatingpackage.json)? eg.2.7.3had fixed the version ofrequestto2.81.0which depend on a risky[email protected]. We may just need to updaterequestto2.82.0.The text was updated successfully, but these errors were encountered: