chore(deps): bump the npm_and_yarn group across 2 directories with 4 updates#253
Conversation
…updates Bumps the npm_and_yarn group with 4 updates in the /suite-ui/aldeci directory: [axios](https://github.com/axios/axios), [esbuild](https://github.com/evanw/esbuild), [flatted](https://github.com/WebReflection/flatted) and [picomatch](https://github.com/micromatch/picomatch). Bumps the npm_and_yarn group with 1 update in the /suite-ui/aldeci-ui-new directory: [picomatch](https://github.com/micromatch/picomatch). Updates `axios` from 1.13.4 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.4...v1.13.5) Removes `esbuild` Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
🤖 Augment PR SummarySummary: Dependabot PR updating npm/yarn dependencies for the UI packages. Changes:
Why: Pulls in upstream security/bugfix releases (e.g., axios DoS hardening, picomatch CVE fixes, flatted security fixes) as described by Dependabot. Technical Notes: The Vite major bump may require companion tooling alignment (plugins/peer deps) to keep installs and builds stable. 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| "@tanstack/react-table": "^8.11.6", | ||
| "@xyflow/react": "^12.0.0", | ||
| "axios": "^1.6.5", | ||
| "axios": "^1.13.5", |
There was a problem hiding this comment.
This change touches the legacy UI package under suite-ui/aldeci/, which is marked as frozen ("Frontend (legacy, FROZEN — do NOT modify)") in (Rule: CLAUDE.md). Can we confirm dependency updates in this directory are intended/allowed (vs. applying them only to the new UI)?
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| "tailwindcss": "^3.4.1", | ||
| "typescript": "^5.3.3", | ||
| "vite": "^5.0.11" | ||
| "vite": "^8.0.3" |
There was a problem hiding this comment.
@vitejs/plugin-react@^4.2.1 declares a vite peer dependency of ^4.2.0 || ^5.0.0; bumping vite to ^8.0.3 is outside that range and will likely cause peer-dependency conflicts and potentially break installs/builds.
Severity: high
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 48ba6e9134
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "tailwindcss": "^3.4.1", | ||
| "typescript": "^5.3.3", | ||
| "vite": "^5.0.11" | ||
| "vite": "^8.0.3" |
There was a problem hiding this comment.
Updating vite to ^8.0.3 creates an unsupported toolchain with the currently resolved @vitejs/plugin-react (see suite-ui/aldeci/package-lock.json, where its peer dependency is vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0). This mismatch already triggers peer-resolution warnings and can fail installs in stricter npm environments or cause build/dev-server regressions because the React plugin is outside its declared compatibility window. Either pin Vite back to ^7 or upgrade the React plugin to a version that explicitly supports Vite 8.
Useful? React with 👍 / 👎.
Bumps the npm_and_yarn group with 4 updates in the /suite-ui/aldeci directory: axios, esbuild, flatted and picomatch.
Bumps the npm_and_yarn group with 1 update in the /suite-ui/aldeci-ui-new directory: picomatch.
Updates
axiosfrom 1.13.4 to 1.13.5Release notes
Sourced from axios's releases.
Commits
29f7542chore(release): prepare release 1.13.5 (#7379)431c3a3ci: fix run condition (#7373)9ff3a78ci: update ymls (#7372)265b712docs: fix deprecated Buffer constructor and formatting issues in README (#7371)475e75afeat: add input validation to isAbsoluteURL (#7326)28c7215fix: Denial of Service via proto Key in mergeConfig (#7369)04cf019docs: clarify object check comment (#7323)696fa75fix: status is missing in AxiosError on and after v1.13.3 (#7368)569f028fix: added a option to choose between legacy and the new request/response int...44b7c9fchore(deps-dev): bump karma-sourcemap-loader (#7360)Removes
esbuildUpdates
flattedfrom 3.3.3 to 3.4.2Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesUpdates
picomatchfrom 2.3.1 to 2.3.2Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-propertiesUpdates
picomatchfrom 4.0.3 to 4.0.4Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-propertiesUpdates
picomatchfrom 4.0.3 to 4.0.4Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-propertiesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.