Bump bfj from 7.1.0 to 9.1.3#1467
Conversation
Bumps [bfj](https://gitlab.com/philbooth/bfj) from 7.1.0 to 9.1.3. - [Changelog](https://gitlab.com/philbooth/bfj/blob/master/HISTORY.md) - [Commits](https://gitlab.com/philbooth/bfj/commits/9.1.3) --- updated-dependencies: - dependency-name: bfj dependency-version: 9.1.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
No blocking findings.
Security
bfj@9.1.3 improves the supply-chain picture for this repo rather than making it worse.
Upstream's 9.1.3 changelog explicitly says it removes a vulnerable transitive jsonpath dependency. The lockfile diff here matches that: jsonpath@1.2.1 disappears, along with its old transitive path through esprima@1.2.5 and underscore@1.13.6. I did not find evidence that this bump introduces a new vulnerable dependency path.
Safety Of Merging
Main upstream changes since 7.1.0:
8.0.0raisedbfj's engine requirement tonode >= 189.0.0removed Bluebird support and the customPromiseoption9.1.xadds bug fixes plus thejsonpathremoval
For this repository, the practical risk looks low:
- I found no in-repo imports/usages of
bfj yarn why bfjshows it is only present as this workspace's direct dev dependency- the app/runtime code path should therefore be unaffected by the API-level breaking changes
- this repo pins Node 20 in
.tool-versions, and the current GitHub Actions workflow also runs Node 20, so the new engine floor is compatible with the project's current setup
Residual risk: if anyone still installs this repo locally with Node 16, bfj's declared engine is now stricter than before. That does not affect the checked-in CI configuration, but it is the main compatibility change to be aware of.
Test Results
Local on this PR branch:
yarn install --immutable✅yarn lint✅CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter✅ (92suites,820tests)
Remote GitHub checks at review time:
lint✅test✅deploy-branch / build-deploy✅test-cypress⏳ still running
I could not complete Cypress locally on this agent because the Cypress binary was not installed, and an attempted yarn exec cypress install did not make the binary available.
Recommendation
Merge with caution: I do not see a blocking security or behavioral issue in this PR, and the dependency graph is cleaner after the upgrade. I would merge once the remaining test-cypress check finishes green.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
Bumps bfj from 7.1.0 to 9.1.3.
Changelog
Sourced from bfj's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)