Skip to content

chore(deps): aggregate 11 open Dependabot PRs into one#1135

Draft
Hotell with Copilot wants to merge 4 commits into
mainfrom
copilot/aggregate-dependabot-prs
Draft

chore(deps): aggregate 11 open Dependabot PRs into one#1135
Hotell with Copilot wants to merge 4 commits into
mainfrom
copilot/aggregate-dependabot-prs

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

11 open Dependabot PRs accumulating separately, two of which address security vulnerabilities.

GitHub Actions

  • actions/checkout v6 → v7 (9 workflow files)
  • eskatos/gradle-command-action v1 → v3

npm — direct deps (package.json updated)

  • webpack-dev-server 5.2.4 → 5.2.5
  • @babel/core 7.29.0 → 7.29.7

npm — transitive deps (lock file via npm update)

Package Old → New
undici 7.24.7 → 7.28.0 ⚠️ 7 CVEs fixed
fast-uri 3.1.0 → 3.1.3 ⚠️ 2 CVEs fixed
tar 7.5.13 → 7.5.19
qs + express 6.14.2 → 6.15.3 / 4.22.1 → 4.22.2
form-data 4.0.5 → 4.0.6
launch-editor 2.13.2 → 2.14.1
tmp 0.2.5 → 0.2.7

Supersedes and closes: #1124, #1118, #1117, #1112, #1111, #1110, #1109, #1092, #1091, #1076, #1042

dependabot Bot and others added 3 commits July 1, 2026 15:05
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Hotell <1223799+Hotell@users.noreply.github.com>
Bumps [eskatos/gradle-command-action](https://github.com/eskatos/gradle-command-action) from 1 to 3.
- [Release notes](https://github.com/eskatos/gradle-command-action/releases)
- [Commits](gradle/gradle-build-action@v1...v3)

---
updated-dependencies:
- dependency-name: eskatos/gradle-command-action
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Hotell <1223799+Hotell@users.noreply.github.com>
- webpack-dev-server 5.2.4 → 5.2.5
- undici 7.24.7 → 7.28.0 (security)
- tar 7.5.13 → 7.5.19
- @babel/core 7.29.0 → 7.29.7
- launch-editor 2.13.2 → 2.14.1
- form-data 4.0.5 → 4.0.6
- tmp 0.2.5 → 0.2.7
- qs 6.14.2 → 6.15.3
- express 4.22.1 → 4.22.2
- fast-uri 3.1.0 → 3.1.3 (security)

Closes #1118, #1117, #1112, #1111, #1110, #1109, #1092, #1091, #1076

Co-authored-by: Hotell <1223799+Hotell@users.noreply.github.com>
@Hotell

Hotell commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

@copilot pipelines are not running - I assume you didn't properly update lock file. resolve this

…build-action@v3

The eskatos/gradle-command-action repo was transferred to gradle/gradle-build-action.
The @V3 tag under the eskatos namespace is no longer resolvable by the GitHub Actions
runner, causing startup_failure on every run.

Also remove wrapper-directory input (not in v3; build-root-directory covers it).

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@copilot pipelines are not running - I assume you didn't properly update lock file. resolve this

The startup_failure (0 jobs ran) wasn't a lock file issue — npm ci is clean. The root cause was eskatos/gradle-command-action@v3: the eskatos/gradle-command-action repo was transferred to gradle/gradle-build-action, and the GitHub Actions runner can't resolve the @v3 tag under the old eskatos namespace (this same failure was present in all 4 CI runs of the original Dependabot PR #1042 as well).

Fixed in b03cfdf by:

  • Replacing eskatos/gradle-command-action@v3 with gradle/gradle-build-action@v3 in pr.yml and publish.yml
  • Removing the wrapper-directory input (not supported in v3; build-root-directory covers it)

Copilot AI requested a review from Hotell July 2, 2026 08:43
Copilot finished work on behalf of Hotell July 2, 2026 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants