And would you prefer @StephanHoyer's suggestion of just a very simple example demonstrating the counter-intuitive behavior?
I considered that, but my reservation was because I got the impression from you that you wanted something that actually demonstrated a problem in practice.
re: gendocs, while adding flems samples currently it was nice to get going with live update simply by using wright -e 'npm run gendocs;docs/**/*' dist/index.html
@isiahmeadows re. glob, alternatively, we can freeze the deps on the current version.
@barneycarroll I can trim the whole thing to just have a bunch of ellipses instead, which should help.
@pygy I like that better anyways.
For smaller libraries, I prefer inexact versions, but for something that's more than just a library, that's probably not a bad idea.
If a vulnerability is ever found, Github will tell us (assuming their UI improves a bit... the last time I looked into it they detected problematic packages, but did not link to the actual dep that imported it).
@pygynpm audit helps.
It gives you full dependency chains, too.
Updating ESLint will fix 4, updating gh-pages will fix 2, and BenchmarkJS just depends on an old Lodash version.
Really, none of this would be an issue if we had this (at least the ability to mark things as not affecting us).