[Deps] Safe dependency updates 2026-02-24#1019
[Deps] Safe dependency updates 2026-02-24#1019github-actions[bot] wants to merge 1 commit intomainfrom
Conversation
Updated packages within their semver ranges: - @commitlint/cli: 20.4.1 → 20.4.2 - @commitlint/config-conventional: 20.4.1 → 20.4.2 - @eslint/compat: bump - @eslint/js: bump - @types/js-yaml: bump - @types/node: 25.2.3 → 25.3.0 - eslint: 10.0.0 → 10.0.2 - glob: 13.0.1 → 13.0.6 - globals: bump - typescript: bump - typescript-eslint: 8.55.0 → 8.56.1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
bot
added
automated
dependencies
There was a problem hiding this comment.
Pull request overview
This PR contains automated safe dependency updates focusing on patch and minor version bumps across development tooling and type definitions. The primary goal is to update dependencies to their latest compatible versions and resolve a moderate severity ReDoS vulnerability in the ajv package (GHSA-2g4f-4pwh-qvx6).
Changes:
- Updates 12 dependencies (11 devDependencies, 1 production dependency) with patch and minor version bumps
- Fixes transitive
ajvvulnerability by updating@commitlintpackages, which upgrades ajv from 8.17.1 to 8.18.0 - Deduplicates numerous nested dependencies in package-lock.json, resulting in a cleaner dependency tree
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates dependency versions for commander (^12.1.0), commitlint packages (^20.4.2), eslint ecosystem (^10.0.2), TypeScript tooling (^5.9.3, ^8.56.1), and various type definitions |
| package-lock.json | Reflects all dependency updates, upgrades ajv to 8.18.0 fixing GHSA-2g4f-4pwh-qvx6, and removes many deduplicated nested dependency entries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "chalk": "^4.1.2", | ||
| "commander": "^12.0.0", | ||
| "commander": "^12.1.0", |
There was a problem hiding this comment.
The commander dependency is updated from ^12.0.0 to ^12.1.0 (a minor version bump), but this update is not documented in the PR description's "Updated Dependencies" table. All dependency changes should be listed in the PR description for transparency and tracking purposes.
Automated Safe Dependency Updates
This PR contains safe patch/minor dependency updates that have been verified to:
ajvReDoS vulnerability (GHSA-2g4f-4pwh-qvx6) in transitive depsUpdated Dependencies
@commitlint/cli@commitlint/config-conventional@eslint/compat@eslint/js@types/js-yaml@types/nodeeslintglobglobalstypescripttypescript-eslintSecurity Fixes Included
ajvvulnerability (GHSA-2g4f-4pwh-qvx6, moderate) resolved via@commitlintupdateVulnerability Summary
Verification
npm auditshows 0 vulnerabilities after updateGenerated by Dependency Security Monitor Workflow