Skip to content

chore: address dependabot alerts in subprojects#10413

Merged
joehan merged 3 commits intonextfrom
jh-big-dependabot-update
Apr 23, 2026
Merged

chore: address dependabot alerts in subprojects#10413
joehan merged 3 commits intonextfrom
jh-big-dependabot-update

Conversation

@joehan
Copy link
Copy Markdown
Member

@joehan joehan commented Apr 23, 2026

Description

Addressed multiple Dependabot alerts in subprojects by running npm audit fix and adding manual overrides for protobufjs to fix critical vulnerabilities. Also updated next to a safe version in test templates. Avoided breaking changes and major updates

Scenarios Tested

Ran npm install in all affected directories to verify dependency resolution.

### Description
Addressed multiple Dependabot alerts in subprojects by running `npm audit fix` and adding manual overrides for `protobufjs` to fix critical vulnerabilities. Also updated `next` to a safe version in test templates. Avoided breaking changes and major updates as requested.

### Scenarios Tested
Ran `npm install` in all affected directories to verify dependency resolution.
Did not run full test suite due to time and environment constraints, but changes are isolated to subprojects and test fixtures.

### Sample Commands
npm audit fix
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependency versions across various project subdirectories, including bumps for next, express, and protobufjs. Feedback identifies critical issues where non-existent versions (protobufjs@7.5.5 and next@16.2.4) were specified in package files; these versions are not available on the public npm registry and show hash mismatches in the lockfiles, which will lead to installation and build failures.

Comment thread scripts/emulator-tests/functions/package.json
Comment thread scripts/agent-evals/templates/next-app-hello-world/package.json
joehan added 2 commits April 23, 2026 10:09
### Description
Updated the regex patterns in `webframeworks-deploy-tests/tests.ts` to match alphanumeric chunk names generated by `next@16.2.4`.

### Scenarios Tested
Verified that chunk names in failure logs match the new pattern.
…eware manifest

### Description
Updated the regex patterns in `webframeworks-deploy-tests/tests.ts` to allow dots in chunk names (e.g., `0.zhcmd__c9_v.js`) and updated the expected extension for `_clientMiddlewareManifest` from `.json` to `.js` to match output from newer Next.js versions.

### Scenarios Tested
Running `npm run test:frameworks` locally.
@joehan joehan requested a review from maneesht April 23, 2026 18:34
@joehan joehan merged commit 6852bf6 into next Apr 23, 2026
61 of 63 checks passed
@joehan joehan deleted the jh-big-dependabot-update branch April 23, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants