Unpin dependencies where possible

[billyjanitsch]

Do you want to request a feature or report a bug?

Bug.

What is the current behavior?

Currently the dependencies on log-symbols and yargs are pinned to exact versions. Is there any reason for this?

(I realize there are reasons not to upgrade yargs to 11.x but it's currently pinned to a specific 9.x version, i.e. 9.0.1 rather than ^9.0.1)

What is the expected behavior?

The dependencies on log-symbols and yargs are declared as ^2.2.0 and ^9.0.1, respectively.

If this is a feature request, what is motivation or use case for changing the behavior?

Generally pinning dependencies is bad for the ecosystem because it prevents deduping between packages.

[dhruvdutt]

@billyjanitsch You can check comments on this PR #290.

[evenstensberg]

Thanks for submitting an issue! We (with good purpose) didn't upgrade Yargs, as there was a security compromisation reported from the most recent version!

[billyjanitsch]

This issue isn't about upgrading, though. It's about unpinning.

The security compromisation is for 11.x, right? I'm suggesting that webpack-cli should depend on yargs@^9.0.1 and log-symbols@^2.2.0 (instead of yargs@9.0.1 and log-symbols@2.2.0). This would not cause yargs 11.x to be installed.

[montogeek]

What is wrong with have those dependencies pinned?

[billyjanitsch]

@montogeek I mentioned above:

Generally pinning dependencies is bad for the ecosystem because it prevents deduping between packages.

It's not incorrect, it just results in a larger average install size.