I have tested this item ? unsuccessfully on 56f6754

This pr is not complete. You need to run the build scripts locally and you will see that they generate additional changed files that you need to add to this PR as well.

In addition I can see at least one major library (codemirror) that has not been updated and is now at least 5 versions out of date despite our package.json allowing for it to be updated.

This pr is not complete. You need to run the build scripts locally and you will see that they generate additional changed files that you need to add to this PR as well.

Good catch, fixed!

In addition I can see at least one major library (codemirror) that has not been updated and is now at least 5 versions out of date despite our package.json allowing for it to be updated.

The PR is not a generic "update all the things" PR, but specifically limited to dependencies that have received upstream security changes.

The PR is not a generic "update all the things" PR, but specifically limited to dependencies that have received upstream security changes.

You are assuming that they all publish if an update is security related

In maintainers we discussed this topic and came to the conclusion that general updates of dependencies should only be made in minor versions to ensure stability for the current release stream. Except when there are security issues, then this needs to be made in patch releases. This is not something Mr Jardin does now for fun, he follows the process.

It is still makling an assumption that is risky - but clearly I am in a minority. Would be good to see this policy documented as there is none for patch releases

Agree that this needs to be better documented. For now this is mentioned in the meeting report here https://volunteers.joomla.org/teams/cms-maintenance-team/reports/1744-meeting-notes-june-08-2022.

I have tested this item ✅ successfully on 7c3fd87

does what it says

I have tested this item ✅ successfully on 7c3fd87

RTC