Freshen up deps

[bcomnes]

Looking to close #92. Starting with all the outdated deps to get those out of the way.

The deps that need code changes appear to be:

√ gh-release % npm outdated
Package  Current  Wanted  Latest  Location
ghauth     3.2.1   3.2.1   4.0.0  gh-release
shelljs    0.3.0   0.3.0   0.8.4  gh-release
yargs      2.3.0   2.3.0  15.4.1  gh-release

Working on that part next.

[bcomnes]

Ok, deps are all up to date. This first and foremost will remove the security warnings.

Unfortunately, ghauth doesn't have a fix for the new endpoint yet, but I opened an upstream issue: rvagg/ghauth#26

I would hold off from releasing this (we can land the PR though) until I figure out a solution for the auth flow. It would be a nice contribution to ghuath to update it to the latest auth endpoint.

[ungoldman]

If this isn't a breaking change why not release now?

[bcomnes]

A bunch of deps raised the minimum node version required to run, so from that perspective its breaking, but if we already assumed LTS was always the minimum it wouldn't be. wdyt?

Breaking would be safer but more (easy) downstream work.

[bcomnes]

The new auth flow would likely be breaking, so I figured I would roll all this in with that.

[ungoldman]

ok makes sense to me. just like to avoid leaving things unreleased in master when possible -- we're all busy and it's entirely possible the new auth flow won't get dealt with soon

[bcomnes]

Sounds good. If the auth stuff stalls out for a bit, I can cut a release with just this. Whats your preference semverwise on just this portion of the work? (I think it should be major to be on the safe side).

[ungoldman]

considering this gets 16k downloads / month it would probably be better to be cautious and cut a major release -- I've been bitten enough by other module authors releasing breaking changes under a patch or minor to try to never do that to anyone else.

we could wait to merge this until the auth flow stuff is also ready to not do two major releases

[bcomnes]

Ok sounds good. Ill make a call to merge over the next week or so depending on upstream interest in the new device auth flow.

[ungoldman]

thanks bret, sorry to complicate it. appreciate the work

[paulcpederson]

Doing the good lordt's work here, @bcomnes much appreciated 👍

[bcomnes]

Pr opened: rvagg/ghauth#27

Any reviews appreciated. Biggest change that affects gh-release is the change from authUrl to githubHost.

- the `options.authUrl` (default: `https://api.github.com/authorizations`) is removed in favor of `options.githubHost` (default `github.com`).

The reason being, there are a ton more URLs and subdomains involved now, so providing the host seems like the best thing to customize.

UPDATE:

This is no longer true. options.authUrl is untouched now.

[bcomnes]

Looks like we've stalled out upstream. Thinking now that we should land this work, and then just break again when upstream gh auth is out. We have till November in theory.

[ungoldman]

@bcomnes we could fork ghauth until upstream is responsive -- not sure if rvagg is actively maintaining ghauth anymore

[bcomnes]

Definitely an option I was thinking about. Would be nice to at least get his input on the desired outcome. I'll give it a couple of weeks.

[bcomnes]

Ok, I forked ghauth for the time being, while we wait for upstream. Going to test this out a few more times and cut a major release.

[bcomnes]

Found a bug where the error messaging is terrible when you try to release to an org that is lacking permissions for the new oauth scoped tokens. Going to improve that.

[bcomnes]

Ok, all good. Can't really tell the difference between a 404 or a bad org permissions setting, so I'll just rely on the context of where the error happens. Will improve if needed.

[bcomnes]

OK, going to cut a major on this.

[bcomnes]

Ok this is out in 4.0.0

[paulcpederson]

Thanks @bcomnes !