If Alex agree to do that within 5.1, let’s do that next week when you are available.
Let’s do it
Thanks for updating stage, composer and components.
I found that dependabot created also PRs for topology: and common. As lodash is not direct dependency for none of those packages, those PRs update lock files only. I roughly checked what is the reason and it looks like at least babel could be upgraded to provide newer version of lodash, but probably there is more. Could you check that? I’d be grateful.
IMHO if there’s many to update, let’s then just merge those bump PRs. If we can avoid fixing only lock files (which can be easily lost when doing npm install), then great.
For topology and common affected lodash version is indirect devDependency. So far we paid zero attention to devDependencies security alerts. I’d just merge these PRs and put no further effort into it.
OK, this is what I’ll do.