chore: update dependencies for dependabot alerts#3119
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR updates dependency versions/lockfiles across the TypeScript SDK, frontend apps/docs, Ruby SDK, and Python examples/templates to address Dependabot security alerts.
Changes:
- Updates multiple pnpm overrides and refreshes pnpm lockfiles (notably axios/qs/tar/ajv/markdown-it/minimatch/glob/rollup).
- Bumps Ruby gems (faraday, faraday-net_http, json, net-http) in both SDK and examples lockfiles.
- Bumps protobuf in Python Poetry lockfiles for examples and CLI templates.
Reviewed changes
Copilot reviewed 4 out of 13 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| sdks/typescript/pnpm-lock.yaml | Updates resolved versions and adds overrides for vulnerable transitive deps (axios/ajv/markdown-it/minimatch/tar/qs). |
| sdks/typescript/package.json | Updates qs version and adds several pnpm overrides to address alerts. |
| sdks/ruby/src/Gemfile.lock | Updates Faraday stack, json, and net-http-related gems. |
| sdks/ruby/examples/Gemfile.lock | Mirrors Ruby gem updates in the examples lockfile. |
| sdks/python/examples/quickstart/poetry.lock | Bumps protobuf patch version for the Python SDK quickstart example. |
| frontend/docs/pnpm-lock.yaml | Updates overrides and lock resolutions for docs dependencies. |
| frontend/docs/package.json | Adds pnpm overrides for alerted dependencies (axios/glob/js-yaml/minimatch/tar). |
| frontend/app/pnpm-lock.yaml | Updates overrides and lock resolutions for the frontend app dependencies (axios/qs/vite/rollup/etc.). |
| frontend/app/package.json | Updates qs and vite versions and adds pnpm overrides for alerted dependencies. |
| examples/python/quickstart/poetry.lock | Bumps protobuf patch version for the root Python quickstart example. |
| cmd/hatchet-cli/cli/templates/typescript/pnpm/pnpm-lock.yaml | Updates template lockfile overrides/resolutions for qs/axios. |
| cmd/hatchet-cli/cli/templates/typescript/pnpm/package.json | Adds pnpm overrides in the template to address qs/axios alerts. |
| cmd/hatchet-cli/cli/templates/python/poetry/poetry.lock | Bumps protobuf patch version in the Python template lockfile. |
Files not reviewed (4)
- cmd/hatchet-cli/cli/templates/typescript/pnpm/pnpm-lock.yaml: Language not supported
- frontend/app/pnpm-lock.yaml: Language not supported
- frontend/docs/pnpm-lock.yaml: Language not supported
- sdks/typescript/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| qs: | ||
| specifier: 6.14.1 | ||
| version: 6.14.1 | ||
| specifier: '>=6.14.2' | ||
| version: 6.15.0 |
There was a problem hiding this comment.
In the lockfile importer, qs’s recorded specifier is ">=6.14.2", but frontend/app/package.json declares qs as "^6.14.2". This manifest/lockfile mismatch can break frozen-lockfile installs; regenerate the lockfile after ensuring the specifier matches the manifest.
frontend/docs/pnpm-lock.yaml
Outdated
| version: 3.4.0 | ||
| js-yaml: | ||
| specifier: ^4.1.1 | ||
| specifier: '>=4.1.1' |
There was a problem hiding this comment.
The lockfile importer records js-yaml with specifier ">=4.1.1", but frontend/docs/package.json declares js-yaml as "^4.1.1". This mismatch can cause frozen-lockfile installs to fail; regenerate the lockfile after aligning the manifest and lockfile specifiers.
| specifier: '>=4.1.1' | |
| specifier: ^4.1.1 |
frontend/app/package.json
Outdated
| "tar": "^7.5.8", | ||
| "axios": ">=1.13.5", | ||
| "ajv": ">=6.14.0", |
There was a problem hiding this comment.
The pnpm override forces axios to ">=1.13.5" while the direct dependency range is "^1.12.0". If axios is a direct dependency, it’s usually clearer to bump the dependency range itself (and regenerate the lockfile) rather than relying on an override that can drift and widen to future majors.
sdks/typescript/package.json
Outdated
| "js-yaml": "^4.1.1", | ||
| "axios": ">=1.13.5", | ||
| "ajv": ">=6.14.0", |
There was a problem hiding this comment.
The pnpm override forces axios to ">=1.13.5" while the direct dependency range is still "^1.11.0". This can lead to manifest/lockfile drift and makes upgrades less explicit; consider updating the dependency range for axios directly (and regenerating the lockfile) and keep overrides for transitive-only cases.
sdks/typescript/package.json
Outdated
| "js-yaml": "^4.1.1", | ||
| "axios": ">=1.13.5", | ||
| "ajv": ">=6.14.0", | ||
| "markdown-it": ">=14.1.1", |
There was a problem hiding this comment.
Using an open-ended override like ">=6.14.0" for ajv can allow pnpm to resolve a new major (e.g., v8+) even if upstream dependencies were written against an older major, increasing the chance of runtime incompatibilities on the next lockfile refresh. Prefer pinning to an exact version or restricting the range to the intended major line.
| "markdown-it": ">=14.1.1", | |
| "markdown-it": "^14.1.1", |
frontend/docs/package.json
Outdated
| "lodash-es": "^4.17.23", | ||
| "axios": ">=1.13.5", | ||
| "glob": ">=10.5.0", | ||
| "js-yaml": ">=4.1.1", |
There was a problem hiding this comment.
js-yaml is a direct dependency declared as "^4.1.1", but the pnpm override widens it to ">=4.1.1". To keep upgrades predictable (and avoid specifier drift in the lockfile), consider pinning the override to a same-major range or dropping the override if the direct dependency range is sufficient.
| "js-yaml": ">=4.1.1", | |
| "js-yaml": "^4.1.1", |
| axios: | ||
| specifier: ^1.12.0 | ||
| version: 1.12.0 | ||
| specifier: '>=1.13.5' | ||
| version: 1.13.5 |
There was a problem hiding this comment.
In the lockfile importer, axios’s recorded specifier is ">=1.13.5", but frontend/app/package.json declares axios as "^1.12.0". This makes the lockfile out of sync with the manifest and can cause frozen-lockfile installs to fail; regenerate the lockfile after aligning the manifest range (or keep the specifier matching the manifest).
| axios: | ||
| specifier: ^1.11.0 | ||
| version: 1.12.0 | ||
| specifier: '>=1.13.5' | ||
| version: 1.13.5 |
There was a problem hiding this comment.
The lockfile importer records axios with specifier ">=1.13.5", but sdks/typescript/package.json declares axios as "^1.11.0". This indicates the lockfile is out of sync with the package.json and may fail with --frozen-lockfile; update the manifest range and regenerate the lockfile (or keep the lockfile specifier matching the manifest).
| "preact": "10.28.2", | ||
| "prismjs": "^1.30.0", | ||
| "qs": "6.14.1", | ||
| "qs": ">=6.14.2", |
There was a problem hiding this comment.
Using an open-ended override like ">=6.14.2" for qs allows future major upgrades when the lockfile is regenerated, which can introduce breaking changes without a manifest diff. Consider pinning to an exact version or a same-major range (for example, a caret range) to keep upgrades explicit and reviewable.
| "qs": ">=6.14.2", | |
| "qs": "^6.14.2", |
Description
Addresses dependabot alerts
Type of change