chore(deps): bump @bower_components/blueimp-md5 from 1.0.1 to v2.19.0 in /build#39420
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
Kudos, SonarCloud Quality Gate passed!
|
|
Note: https://github.com/blueimp/JavaScript-MD5 repo is archived. v2.19.0 was released on 2021-09-25 and thus will be the last release. Do we do this version bump now? And then what next. @JammingBen do we leave this for now, and investigate after 10.9.0? Or? |
I would say so, yes. Let's focus on simple and test/dev-related changes during the next weeks. 10.9 already contains a huge amount of big changes. |
|
I switched this to "draft" so that it is more clear that this is a "pending" bump for after 10.9.0 |
|
@dependabot-bot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/build/bower_components/blueimp-md5-v2.19.0
branch
from
948f291 to
118f757
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
@dependabot recreate |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/build/bower_components/blueimp-md5-v2.19.0
branch
from
118f757 to
88aa90f
Compare
|
@dependabot rebase |
Bumps [@bower_components/blueimp-md5](https://github.com/blueimp/JavaScript-MD5) from 1.0.1 to v2.19.0. - [Commits](blueimp/JavaScript-MD5@b84e37f...458b662) --- updated-dependencies: - dependency-name: "@bower_components/blueimp-md5" dependency-version: 458b6624c39df94cd938db3303ef77aa1e7a6800 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/build/bower_components/blueimp-md5-v2.19.0
branch
from
88aa90f to
d4b09f6
Compare
phil-davis
left a comment
phil-davis
left a comment
There was a problem hiding this comment.
This should all still work. It is only in the /build folder, so does not impact the run-time.
Actually the source repo for this was archived some time ago. So v2.19.0 is the last version.
DeepDiver1975
left a comment
DeepDiver1975
left a comment
There was a problem hiding this comment.
🤖 Automated review by Claude Code review agent.
Overview
Dependabot PR bumping @bower_components/blueimp-md5 from 1.0.1 to v2.19.0 in /build, a major-version jump (1.x to 2.x). The change touches only build/package.json (dependency pin) and build/yarn.lock (resolved tarball + uid). +5/-4 across 2 files. This is low-risk automated content.
Code quality / style
- Mechanical, well-scoped change generated by Dependabot. No hand-written code.
package.jsonandyarn.lockare kept consistent (both point at commit458b662forv2.19.0).- Note the version-string style mismatch: the old pin used
#1.0.1while the new pin uses#v2.19.0(leadingv). This simply follows the upstream tag naming and is fine for git-ref resolution.
Specific suggestions
- Confirm
blueimp-md5is actually consumed in the bundled JS build and not dead weight. If it is used, verify the consuming code still works against the 2.x API (see risks). - After merge, regenerate/verify any vendored bundle so the new version is actually shipped, not just pinned.
Potential issues / risks
- Major-version bump (1.x to 2.x) can carry breaking API changes. Upstream blueimp/JavaScript-MD5 migrated from a global
md5()function toward UMD/module export conventions across the 2.x line. If owncloud/core calls it via a globalmd5(...), the call site may need adjustment; if it imports the module, behavior should be stable. The diff itself does not reveal how the library is invoked. - No accompanying source or test changes in this PR. There is no evidence that any usage was updated or that tests exercise the md5 code path against the new version. The risk is therefore not visible in the diff and rests on CI: ensure the build/JS test suite actually covers any code that depends on this library before merging. If md5 is unused, the bump is purely cosmetic and safe.
- Bower-via-yarn git tarball dependencies are not integrity-pinned the way registry packages are (no checksum hash in the lock entry, only a
resolvedURL +uid). This is pre-existing and not introduced here.
Recommendation: Safe to merge once CI passes, provided the build/test pipeline covers code paths using blueimp-md5. If it does not, manually confirm the 2.x API matches the call sites before merging.
|
PR #41633 confirms that this dependency is used. The JS Tests fail in that PR. |
phil-davis
deleted the
dependabot/npm_and_yarn/build/bower_components/blueimp-md5-v2.19.0
branch
4 participants
Bumps @bower_components/blueimp-md5 from 1.0.1 to v2.19.0.
Commits
458b6622.19.0d2115f5Add script to sync vendor libraries.9628d50Update dev dependencies.e1346d52.18.00fde4eaUpdate dev dependencies.c89150d2.17.01a22f3aUpdate dev dependencies.ed246662.16.05e06413Demo: Update design, layout and demo script.da13ebdUpgrade dev dependencies.