chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates#94
Conversation
…updates Bumps the npm_and_yarn group with 2 updates in the /apps/api directory: [fastify](https://github.com/fastify/fastify) and [@xmldom/xmldom](https://github.com/xmldom/xmldom). Bumps the npm_and_yarn group with 1 update in the /vantademo directory: [picomatch](https://github.com/micromatch/picomatch). Updates `fastify` from 5.8.1 to 5.8.3 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.8.1...v5.8.3) Removes `@xmldom/xmldom` Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.8.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@xmldom/xmldom" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR updates JavaScript dependencies (primarily security-related bumps) across the API app and the vantademo directory.
Changes:
- Bump
fastifyto5.8.3inapps/api(per lockfile). - Bump
pdf2jsonto3.2.2inapps/apiand remove bundled@xmldom/xmldom(per lockfile). - Bump
picomatchto2.3.2invantademo(per lockfile).
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
vantademo/package-lock.json |
Updates picomatch to 2.3.2 (security release). |
apps/api/package.json |
Updates pdf2json dependency range to ^3.2.2. |
apps/api/package-lock.json |
Updates fastify and pdf2json resolved versions and reflects removal of @xmldom/xmldom bundling. |
Files not reviewed (2)
- apps/api/package-lock.json: Language not supported
- vantademo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "fastify": "^5.8.3", | ||
| "openai": "^6.17.0", | ||
| "pdf2json": "^3.1.4", | ||
| "pdf2json": "^3.2.2", |
There was a problem hiding this comment.
Because this repo uses npm workspaces (and CI runs npm ci from the repo root), changing apps/api/package.json without also updating the root package-lock.json will leave the workspace lock metadata out of sync (root lock still pins apps/api to pdf2json: ^3.1.4). This will typically cause npm ci to fail or continue installing the old version. Regenerate the root lockfile from the repo root so it reflects the updated apps/api dependencies (or otherwise ensure there is a single source of truth for lockfiles).
| "pdf2json": "^3.2.2", | |
| "pdf2json": "^3.1.4", |
| "openai": "^6.17.0", | ||
| "pdf2json": "^3.1.4", | ||
| "pdf2json": "^3.2.2", | ||
| "pdfkit": "^0.15.0", |
There was a problem hiding this comment.
The PR description lists updates for fastify, @xmldom/xmldom (removal), and picomatch, but this diff also bumps pdf2json (and the API lockfile metadata for the local @deed-shield/core workspace). Please update the PR description/changelog to reflect the additional dependency changes so reviewers know what is actually being upgraded.
| "license": "MIT", | ||
| "engines": { | ||
| "node": ">=10.0.0" | ||
| "node": ">=20.18.0" |
There was a problem hiding this comment.
pdf2json@3.2.2 now declares engines.node >=20.18.0. The repo-wide engine is 20.x and CI uses node-version: '20', but developers pinned to an earlier 20.x patch (or other automation using an older Node 20 image) may hit install failures. Consider either documenting/pinning the required Node patch level (e.g., via .nvmrc/Volta/engines) or selecting a pdf2json version compatible with the project’s supported Node range.
| "node": ">=20.18.0" | |
| "node": ">=20.0.0" |
Bumps the npm_and_yarn group with 2 updates in the /apps/api directory: fastify and @xmldom/xmldom.
Bumps the npm_and_yarn group with 1 update in the /vantademo directory: picomatch.
Updates
fastifyfrom 5.8.1 to 5.8.3Release notes
Sourced from fastify's releases.
... (truncated)
Commits
a3e77ceBumped v5.8.34e1db5bfix: gate host and protocol getters on proxy trust functiona22217fci(lock-threads): use shared lock-threads workflow (#6592)1851f20docs: update links (#6593)9cc5187types: Allow port to be null in request type definition (#6589)722d83bdocs: replace redirected npm.im http-errors link (#6588)a1413dedocs: fix incorrect code examples in Reply and Request reference (#6582)d7f01b6docs: clarify content-type parser/schema mismatch is outside threat model (#6...a0649e9docs: update syntax markdown, absolute paths and links (#6569)d477915ci(link-checker): fix root-relative links resolution (#6535)Removes
@xmldom/xmldomUpdates
picomatchfrom 2.3.1 to 2.3.2Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-propertiesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.