Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s JavaScript toolchain versions (Node/npm/pnpm) and refreshes the pnpm lockfile to reflect deduped/resolved dependency graph changes across workspaces.
Changes:
- Bump declared toolchain versions in
.prototools(Node, npm, pnpm). - Update
pnpm-lock.yamldependency resolutions (notably peer tuples using@types/node@22.10.1) and snapshot deduplication.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.prototools |
Updates pinned Node/npm/pnpm versions used by the repo toolchain. |
pnpm-lock.yaml |
Refreshes the lockfile with updated peer resolution tuples/deduped snapshots; records a deprecation notice for a vulnerable transitive dependency. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pnpm = "10.28.2" | ||
| node = "20.20.1" | ||
| npm = "11.12.0" | ||
| pnpm = "10.32.1" |
There was a problem hiding this comment.
pnpm is bumped here, but the repo still pins an older pnpm in the root package.json via the packageManager field (currently pnpm@10.28.2). This makes the declared toolchain inconsistent and can cause CI/local installs to use a different pnpm than intended; update the packageManager value (or remove it if the repo standard is .prototools only) to match this change.
| basic-ftp@5.0.4: | ||
| resolution: {integrity: sha512-8PzkB0arJFV4jJWSGOYR+OEic6aeKMu/osRhBULN6RY0ykby6LKhbmuQ5ublvaas5BOwboah5D87nrHyuh8PPA==} | ||
| engines: {node: '>=10.0.0'} | ||
| deprecated: Security vulnerability fixed in 5.2.0, please upgrade | ||
|
|
There was a problem hiding this comment.
The lockfile now records basic-ftp@5.0.4 as deprecated due to a security vulnerability fixed in 5.2.0. Since this repo is actively updating/deduplicating dependencies, it would be better to ensure the vulnerable version is not kept in the graph (e.g., by upgrading the parent dependency that brings it in, or adding a pnpm overrides/resolutions rule to force basic-ftp@>=5.2.0 if compatible).
| basic-ftp@5.0.4: | |
| resolution: {integrity: sha512-8PzkB0arJFV4jJWSGOYR+OEic6aeKMu/osRhBULN6RY0ykby6LKhbmuQ5ublvaas5BOwboah5D87nrHyuh8PPA==} | |
| engines: {node: '>=10.0.0'} | |
| deprecated: Security vulnerability fixed in 5.2.0, please upgrade |
This PR updates the toolchain (node, npm, pnpm) to the newest versions and deduplicates packages