deps: bump the npm-dependencies group with 3 updates#14
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Bumps the npm-dependencies group with 3 updates: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro), [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) and [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint). Updates `astro` from 6.4.4 to 6.4.5 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.4.5/packages/astro) Updates `oxfmt` from 0.53.0 to 0.54.0 - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.54.0/npm/oxfmt) Updates `oxlint` from 1.68.0 to 1.69.0 - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.69.0/npm/oxlint) --- updated-dependencies: - dependency-name: astro dependency-version: 6.4.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-dependencies - dependency-name: oxfmt dependency-version: 0.54.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-dependencies - dependency-name: oxlint dependency-version: 1.69.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
π WalkthroughWalkthroughThis PR updates three dependency versions in ChangesDependency Updates
Estimated Code Review Effortπ― 1 (Trivial) | β±οΈ ~2 minutes Poem
π₯ Pre-merge checks | β 5β Passed checks (5 passed)
βοΈ Tip: You can configure your own custom pre-merge checks in the settings. β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
π€ Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 20: package.json currently pins astro@6.4.5 (and uses oxfmt/oxlint) while
npm audit flags a high severity via `@astrojs/vercel` β `@vercel/routing-utils` β
path-to-regexp; update the dependency resolution for `@astrojs/vercel` (change the
version in package.json from ^10.0.8 to a non-vulnerable release such as 8.0.4
or the latest patched version) or add an overrides/resolutions entry to force a
safe path-to-regexp via `@vercel/routing-utils`, then run npm install and npm
audit --json to verify the vulnerability is resolved and run the test/build
(e.g., npm run build / npm test) to ensure compatibility with the updated
`@astrojs/vercel`.
πͺ Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
βΉοΈ Review info
βοΈ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: be9437dd-6f60-4d30-aa46-657def209907
β Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
π Files selected for processing (1)
package.json
| "@astrojs/vercel": "^10.0.8", | ||
| "@vercel/speed-insights": "^2.0.0", | ||
| "astro": "^6.4.4" | ||
| "astro": "^6.4.5" |
There was a problem hiding this comment.
𧩠Analysis chain
π Script executed:
#!/bin/bash
# Description: Verify npm package versions exist and check for security advisories
echo "=== Checking package versions on npm registry ==="
for pkg_spec in "astro@6.4.5" "oxfmt@0.54.0" "oxlint@1.69.0"; do
pkg_name=$(echo "$pkg_spec" | cut -d'@' -f1)
pkg_version=$(echo "$pkg_spec" | cut -d'@' -f2)
echo -e "\n--- Checking $pkg_name@$pkg_version ---"
# Check if version exists on npm
npm view "$pkg_spec" version 2>/dev/null || echo "β οΈ Version not found on npm registry"
done
echo -e "\n=== Checking for security advisories ==="
# Use npm audit with the package.json to check for known vulnerabilities
npm audit --json 2>/dev/null | jq -r '.vulnerabilities | to_entries[] | "\(.key): \(.value.severity) - \(.value.via[0].title // "Advisory available")"' 2>/dev/null || echo "No vulnerabilities found or npm audit not available"Repository: finallyjay/daily-dev-roulette
Length of output: 330
π Script executed:
#!/bin/bash
set -euo pipefail
echo "=== package.json context (lines ~10-35) ==="
if [ -f package.json ]; then
nl -ba package.json | sed -n '10,35p'
else
echo "package.json not found"
exit 1
fi
echo -e "\n=== Lockfile presence ==="
ls -1 package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml 2>/dev/null || true
echo -e "\n=== npm audit --json raw (first 80 lines) ==="
# Capture both stdout+stderr; don't suppress errors this time.
# Limit output to keep within sandbox limits.
set +e
npm audit --json 2>&1 | head -n 80
rc=$?
set -e
echo -e "\n=== npm audit exit code: $rc ==="
echo -e "\n=== Parse audit vulnerabilities count (if JSON) ==="
set +e
audit_json="$(npm audit --json 2>/dev/null)"
if echo "$audit_json" | jq -e '.vulnerabilities' >/dev/null 2>&1; then
jq -r '(.vulnerabilities | length) as $n | "\nvulnerabilities: \($n)"' <<<"$audit_json"
jq -r '(.vulnerabilities|to_entries[]| "\(.key): \(.value.severity) - \(.value.title // .value.via[0].title // "Advisory available")")' <<<"$audit_json" 2>/dev/null | head -n 50
else
echo "Could not parse npm audit output as JSON (likely requires a lockfile / install)."
fi
set -eRepository: finallyjay/daily-dev-roulette
Length of output: 178
π Script executed:
#!/bin/bash
set -euo pipefail
echo "=== package.json context (lines ~10-35) ==="
if [ -f package.json ]; then
cat -n package.json | sed -n '10,35p'
else
echo "package.json not found"
exit 1
fi
echo -e "\n=== Lockfile presence ==="
ls -1 package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml 2>/dev/null || true
echo -e "\n=== npm audit --json raw (first 120 lines or until non-JSON) ==="
set +e
npm audit --json 2>&1 | head -n 120
rc=$?
set -e
echo -e "\n=== npm audit exit code: $rc ==="
echo -e "\n=== Parse audit vulnerabilities (if JSON) ==="
set +e
audit_json="$(npm audit --json 2>/dev/null)"
if [ -n "${audit_json:-}" ] && echo "$audit_json" | jq -e '.vulnerabilities' >/dev/null 2>&1; then
jq -r '(.vulnerabilities | length) as $n | "\nvulnerabilities: \($n)"' <<<"$audit_json"
jq -r '(.vulnerabilities|to_entries[]| "\(.key): \(.value.severity) - \(.value.title // .value.via[0].title // "Advisory available")")' <<<"$audit_json" 2>/dev/null | head -n 50
else
echo "npm audit output was not valid JSON (or jq parse failed)."
# Show whatever npm audit printed in error mode (small sample)
npm audit --json 2>&1 | head -n 30 || true
fi
set -eRepository: finallyjay/daily-dev-roulette
Length of output: 3206
Verify npm dependency versions and security advisories (npm audit)
astro@6.4.5, oxfmt@0.54.0, and oxlint@1.69.0 exist on npm. npm audit --json reports 3 high vulnerabilities coming from @astrojs/vercel β @vercel/routing-utils β path-to-regexp (GHSA-9wv6-86v2-598j). Audit fix availability suggests updating @astrojs/vercel (currently ^10.0.8) to a non-vulnerable version (e.g., 8.0.4) or using an override.
π€ Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 20, package.json currently pins astro@6.4.5 (and uses
oxfmt/oxlint) while npm audit flags a high severity via `@astrojs/vercel` β
`@vercel/routing-utils` β path-to-regexp; update the dependency resolution for
`@astrojs/vercel` (change the version in package.json from ^10.0.8 to a
non-vulnerable release such as 8.0.4 or the latest patched version) or add an
overrides/resolutions entry to force a safe path-to-regexp via
`@vercel/routing-utils`, then run npm install and npm audit --json to verify the
vulnerability is resolved and run the test/build (e.g., npm run build / npm
test) to ensure compatibility with the updated `@astrojs/vercel`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm-dependencies group with 3 updates: astro, oxfmt and oxlint.
Updates
astrofrom 6.4.4 to 6.4.5Release notes
Sourced from astro's releases.
Changelog
Sourced from astro's changelog.
Commits
0b879fb[ci] release (#16972)dc45246Revert isNode workerd detection that caused Cloudflare build regression (#16997)132a879[ci] format4ecff32fix(node): resolve experimental logger before logging server startup β¦ (#16985)e0703a6fix(fetch): sync request.url with forwarded headers in FetchState (#16947)12495befix(errors): correct param key in getStaticPaths error-doc examples (slug β i...c90ce97refactor: use hex color in CSS test (#16970)Updates
oxfmtfrom 0.53.0 to 0.54.0Changelog
Sourced from oxfmt's changelog.
... (truncated)
Commits
44ae845release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)dadafe3docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)f88961adocs(oxfmt): annotate each config option with supported languages (#22953)Updates
oxlintfrom 1.68.0 to 1.69.0Release notes
Sourced from oxlint's releases.
... (truncated)
Changelog
Sourced from oxlint's changelog.
Commits
44ae845release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)e805174feat(linter): add schema forjest/vitest/max-expects(#23105)7850577feat(linter): add schema forjest/vitest/expect-expect(#23104)75f641afeat(linter): add schema forjest/vitest/consistent-test-it(#23103)d65b860refactor(linter): reuse non-object references for rules schemas (#23100)6bcd52crefactor(linter): share"alway" | "never"option across rules (#23099)5125f89feat(linter/unicorn): support no-nullcheckArgumentsoption (#23098)b8b9797feat(linter): add schema forimport-max-dependencies(#23096)65cb47afeat(linter/eslint): support no-unused-expressionsignoreDirectivesoption ...f6c36d5feat(linter): add schema forimport/prefer-default-export(#23091)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsSummary by CodeRabbit