Dependabot sweep on 2026-06-23. 6 safe bumps were adopted (#339 docker/login-action, #340 ssh-agent, #341 pnpm/action-setup, #323 setup-node, #327 upload-artifact, #333 @types/supertest). The 9 below each fail CI against current main (real breaking changes, not staleness) or need ecosystem-specific verification — each is a real migration, deferred here with the diagnosis + fix hint so it can be picked up cleanly. PRs left open so Dependabot keeps them current.
Progress — 2026-06-23: @noble/hashes 1→2 migrated and merged (#345) — 8 deferred remain.
Needs code migration (CI verified-failing on current main)
Needs ecosystem-specific verification (not covered by PR CI)
Dependabot sweep on 2026-06-23. 6 safe bumps were adopted (#339 docker/login-action, #340 ssh-agent, #341 pnpm/action-setup, #323 setup-node, #327 upload-artifact, #333 @types/supertest). The 9 below each fail CI against current
main(real breaking changes, not staleness) or need ecosystem-specific verification — each is a real migration, deferred here with the diagnosis + fix hint so it can be picked up cleanly. PRs left open so Dependabot keeps them current.Progress — 2026-06-23:
@noble/hashes1→2 migrated and merged (#345) — 8 deferred remain.Needs code migration (CI verified-failing on current main)
build(deps): bump @noble/hashes from 1.8.0 to 2.2.0 #335— ✅ DONE via chore(deps): migrate @noble/hashes 1.x → 2.x #345. Bigger than triaged: v2 dropped all bare subpath exports (not just@noble/hashes1.8.0→2.2.0sha256/sha512→sha2), so every import moved to the.js-suffixedsha2.js/sha3.js/utils.jspaths — 22 sites across root API +@sipher/sdk+@sipher/agent. Merged with NIST/Keccak known-answer characterization tests proving byte-identical output on both v1 and v2. Confirmed all three packages resolve@noble/hashes@2.2.0; the@sip-protocol/sdktransitive 1.x coexists harmlessly. Superseded Dependabot build(deps): bump @noble/hashes from 1.8.0 to 2.2.0 #335.zod3→4 —error.errors→error.issues(src/middleware/validation.ts:29) + general zod 4 migration (defaults, error formats). Verify all schema validation paths.vitest3→4 — test runtime error; vitest 4 config/API migration.@vitejs/plugin-react4→6 — app build/e2e fails (dist/app.jsnot produced); Vite plugin major.pino-http10→11 —No overload matches this call(src/logger.ts:26); logger options API change.TSchema;tests/pi/tool-adapter.test.tsaccesses.type/.properties/.requiredon it → typecheck fails. Adapt the test's TSchema access, or have Dependabot re-group excluding the breaking update to land the other 24.Needs ecosystem-specific verification (not covered by PR CI)
jsdom25→29 — dev dep, only apnpm-lock.yamlconflict (no code change). Re-resolve the lockfile + merge.node22→26-alpine — Docker base image. The Docker build runs only on themaindeploy, not on PRs, so green PR CI does NOT verify it. Rundocker buildlocally before merging.reqwest0.12→0.13 (/sdks/rust) — Rust HTTP lib. Verifycargo build/cargo testin the Rust SDK.