Bump the npm_and_yarn group across 2 directories with 3 updates#33703
Bump the npm_and_yarn group across 2 directories with 3 updates#33703dependabot[bot] wants to merge 1 commit into
Conversation
Greptile SummaryThis dependabot PR bumps Confidence Score: 4/5Safe to merge after confirming the unexpected Next.js major version bump in js_modules/app-oss/package.json is intentional. The security-motivated dependency bumps for tar and flatted are straightforward and desirable. The undescribed major version change for next (15→16) in an unrelated file is a P1 concern that should be confirmed before merging. js_modules/app-oss/package.json — contains an undocumented Next.js major version bump unrelated to the PR description.
|
| Filename | Overview |
|---|---|
| js_modules/app-oss/package.json | Contains an undescribed major version bump of next from ^15.5.14 to ^16.2.2, not mentioned in the PR description and unrelated to the stated rollup/tar/flatted updates. |
| docs/yarn.lock | Lock file updated to reflect rollup 4.40.0→4.60.1 and tar 7.5.10→7.5.13 bumps in the docs directory; changes look correct. |
| marketplace/yarn.lock | Lock file updated to reflect flatted 3.3.3→3.4.2 (fixes CWE-1321 prototype pollution) and tar 7.5.10→7.5.13 security fixes; looks correct. |
| examples/docs_projects/project_etl_tutorial/dashboard/package-lock.json | Lock file updated for rollup 4.59.0→4.60.1 bump; all native platform packages updated consistently. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[dependabot PR] --> B[/docs directory/]
A --> C[/marketplace directory/]
A --> D[js_modules/app-oss - unexpected]
B --> B1[rollup 4.40.0 → 4.60.1]
B --> B2[tar 7.5.10 → 7.5.13\nsecurity fix]
C --> C1[flatted 3.3.3 → 3.4.2\nCWE-1321 fix]
C --> C2[tar 7.5.10 → 7.5.13\nsecurity fix]
D --> D1["next ^15.5.14 → ^16.2.2\n⚠️ major bump, undescribed"]
style D fill:#ffcccc
style D1 fill:#ffcccc
Reviews (1): Last reviewed commit: "Bump the npm_and_yarn group across 2 dir..." | Re-trigger Greptile
| "eslint-config-next": "^15.3.3", | ||
| "graphql": "^16.8.1", | ||
| "next": "^15.5.14", | ||
| "next": "^16.2.2", |
There was a problem hiding this comment.
Undescribed major
next version bump
This PR is described as bumping rollup, tar, and flatted in the /docs and /marketplace directories, but this file contains an unrelated major version bump of next from ^15.5.14 to ^16.2.2. A caret range change from ^15.x to ^16.x is a breaking major version upgrade that isn't mentioned in the PR description and doesn't appear to be part of the stated dependabot group update. This should either be explicitly called out (with any Next.js 16 migration steps verified) or reverted if it was accidentally included.
Bumps the npm_and_yarn group with 2 updates in the /docs directory: [rollup](https://github.com/rollup/rollup) and [tar](https://github.com/isaacs/node-tar). Bumps the npm_and_yarn group with 2 updates in the /marketplace directory: [flatted](https://github.com/WebReflection/flatted) and [tar](https://github.com/isaacs/node-tar). Updates `rollup` from 4.40.0 to 4.60.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.40.0...v4.60.1) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `rollup` from 4.40.0 to 4.60.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.40.0...v4.60.1) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
288dac1 to
e3e1e6f
Compare
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
Bumps the npm_and_yarn group with 2 updates in the /docs directory: rollup and tar.
Bumps the npm_and_yarn group with 2 updates in the /marketplace directory: flatted and tar.
Updates
rollupfrom 4.40.0 to 4.60.1Release notes
Sourced from rollup's releases.
... (truncated)
Changelog
Sourced from rollup's changelog.
... (truncated)
Commits
ae871d74.60.151f8f60fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274)...ca55406chore(deps): pin dependency typescript to v5 (#6320)fe50d86chore(deps): pin dependencies (#6317)42785ffchore(deps): update minor/patch updates (#6319)65e82a9chore(deps): update msys2/setup-msys2 digest to cafece8 (#6318)c336205chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#6321)b25d25efix(deps): update swc monorepo (major) (#6322)119abdbchore(deps): lock file maintenance (#6324)5598a66chore(deps): lock file maintenance (#6323)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Updates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security infoUpdates
rollupfrom 4.40.0 to 4.60.1Release notes
Sourced from rollup's releases.
... (truncated)
Changelog
Sourced from rollup's changelog.
... (truncated)
Commits
ae871d74.60.151f8f60fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274)...ca55406chore(deps): pin dependency typescript to v5 (#6320)fe50d86chore(deps): pin dependencies (#6317)42785ffchore(deps): update minor/patch updates (#6319)65e82a9chore(deps): update msys2/setup-msys2 digest to cafece8 (#6318)c336205chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#6321)b25d25efix(deps): update swc monorepo (major) (#6322)119abdbchore(deps): lock file maintenance (#6324)5598a66chore(deps): lock file maintenance (#6323)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Updates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security infoUpdates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security infoUpdates
flattedfrom 3.3.3 to 3.4.2Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesUpdates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security infoUpdates
flattedfrom 3.3.3 to 3.4.2Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesUpdates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security infoUpdates
flattedfrom 3.3.3 to 3.4.2Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesUpdates
tarfrom 7.5.10 to 7.5.13Commits
d6611ae7.5.13119c401fix(extract): prevent raced symlink writes outside cwd2a294d37.5.1201082a4fix: reject top promise on floating addFilesAsync rejectionsdd1c36alinting35a1ffedoc: more clarity in security warningbf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security info