Skip to content

Bump the npm_and_yarn group across 2 directories with 3 updates#33703

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-af060603a4
Closed

Bump the npm_and_yarn group across 2 directories with 3 updates#33703
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-af060603a4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 2 updates in the /docs directory: rollup and tar.
Bumps the npm_and_yarn group with 2 updates in the /marketplace directory: flatted and tar.

Updates rollup from 4.40.0 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

v4.60.0

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

v4.59.1

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates tar from 7.5.10 to 7.5.13

Commits

Updates rollup from 4.40.0 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

v4.60.0

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

v4.59.1

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

4.60.0

2026-03-22

Features

  • Support source phase imports as long as they are external (#6279)

Pull Requests

4.59.1

2026-03-21

Bug Fixes

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates tar from 7.5.10 to 7.5.13

Commits

Updates tar from 7.5.10 to 7.5.13

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates tar from 7.5.10 to 7.5.13

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates tar from 7.5.10 to 7.5.13

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates tar from 7.5.10 to 7.5.13

Commits

@dependabot dependabot Bot added dependencies javascript Pull requests that update Javascript code labels Apr 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 2, 2026 19:30
@dependabot dependabot Bot added dependencies javascript Pull requests that update Javascript code labels Apr 2, 2026
@greptile-apps

greptile-apps Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This dependabot PR bumps rollup (4.40.0→4.60.1), tar (7.5.10→7.5.13, security fixes), and flatted (3.3.3→3.4.2, CWE-1321 prototype-pollution fix) across the /docs and /marketplace directories. However, js_modules/app-oss/package.json also includes an undescribed major version bump of next from ^15.5.14 to ^16.2.2 that is not part of the stated dependabot group and warrants explicit review before merging.

Confidence Score: 4/5

Safe to merge after confirming the unexpected Next.js major version bump in js_modules/app-oss/package.json is intentional.

The security-motivated dependency bumps for tar and flatted are straightforward and desirable. The undescribed major version change for next (15→16) in an unrelated file is a P1 concern that should be confirmed before merging.

js_modules/app-oss/package.json — contains an undocumented Next.js major version bump unrelated to the PR description.

Important Files Changed

Filename Overview
js_modules/app-oss/package.json Contains an undescribed major version bump of next from ^15.5.14 to ^16.2.2, not mentioned in the PR description and unrelated to the stated rollup/tar/flatted updates.
docs/yarn.lock Lock file updated to reflect rollup 4.40.0→4.60.1 and tar 7.5.10→7.5.13 bumps in the docs directory; changes look correct.
marketplace/yarn.lock Lock file updated to reflect flatted 3.3.3→3.4.2 (fixes CWE-1321 prototype pollution) and tar 7.5.10→7.5.13 security fixes; looks correct.
examples/docs_projects/project_etl_tutorial/dashboard/package-lock.json Lock file updated for rollup 4.59.0→4.60.1 bump; all native platform packages updated consistently.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[dependabot PR] --> B[/docs directory/]
    A --> C[/marketplace directory/]
    A --> D[js_modules/app-oss - unexpected]

    B --> B1[rollup 4.40.0 → 4.60.1]
    B --> B2[tar 7.5.10 → 7.5.13\nsecurity fix]

    C --> C1[flatted 3.3.3 → 3.4.2\nCWE-1321 fix]
    C --> C2[tar 7.5.10 → 7.5.13\nsecurity fix]

    D --> D1["next ^15.5.14 → ^16.2.2\n⚠️ major bump, undescribed"]

    style D fill:#ffcccc
    style D1 fill:#ffcccc
Loading

Reviews (1): Last reviewed commit: "Bump the npm_and_yarn group across 2 dir..." | Re-trigger Greptile

Comment thread js_modules/app-oss/package.json Outdated
"eslint-config-next": "^15.3.3",
"graphql": "^16.8.1",
"next": "^15.5.14",
"next": "^16.2.2",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Undescribed major next version bump

This PR is described as bumping rollup, tar, and flatted in the /docs and /marketplace directories, but this file contains an unrelated major version bump of next from ^15.5.14 to ^16.2.2. A caret range change from ^15.x to ^16.x is a breaking major version upgrade that isn't mentioned in the PR description and doesn't appear to be part of the stated dependabot group update. This should either be explicitly called out (with any Next.js 16 migration steps verified) or reverted if it was accidentally included.

Bumps the npm_and_yarn group with 2 updates in the /docs directory: [rollup](https://github.com/rollup/rollup) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 2 updates in the /marketplace directory: [flatted](https://github.com/WebReflection/flatted) and [tar](https://github.com/isaacs/node-tar).


Updates `rollup` from 4.40.0 to 4.60.1
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.40.0...v4.60.1)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

Updates `rollup` from 4.40.0 to 4.60.1
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.40.0...v4.60.1)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `tar` from 7.5.10 to 7.5.13
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.10...v7.5.13)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/docs/npm_and_yarn-af060603a4 branch from 288dac1 to e3e1e6f Compare April 13, 2026 14:00
@dependabot @github

dependabot Bot commented on behalf of github Apr 17, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 17, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/docs/npm_and_yarn-af060603a4 branch April 17, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants