Skip to content

chore(deps): sweep safe Dependabot advisories (realiojs)#19

Open
karlkeppner1 wants to merge 1 commit into
mainfrom
chore/dependabot-sweep-2026-06-05
Open

chore(deps): sweep safe Dependabot advisories (realiojs)#19
karlkeppner1 wants to merge 1 commit into
mainfrom
chore/dependabot-sweep-2026-06-05

Conversation

@karlkeppner1

@karlkeppner1 karlkeppner1 commented Jun 5, 2026

Copy link
Copy Markdown

Org-wide Dependabot sweep — safe (non-breaking) only.

Fixed: npm audit fix (non-breaking) — clears semver-compatible transitive advisories.

Flagged — needs manual review (MAJOR upgrades / migration):

  • lerna9.0.7 (dev/publish tooling — drives the @lerna/, @octokit/, git-up/git-url-parse/form-data chain, incl. several criticals)
  • ethers v5 → 6.16.0 (breaking API change in a published library — requires code migration)
  • jest-junit → 17.0.0

⚠️ Verified by CI. (Repo tracks both package-lock.json and yarn.lock; only package-lock.json was updated — worth reconciling.)

🤖 Generated with Claude Code

@karlkeppner1 @claude
chore(deps): sweep safe (non-breaking) Dependabot advisories
207f8f6 
Applies `npm audit fix` (non-breaking only) — clears semver-compatible transitive advisories.

Flagged for manual review (NOT in this PR — require MAJOR upgrades / migration):
- lerna -> 9.0.7 (dev/publish tooling; drives the @lerna/*, @octokit/*, git-* chain incl. several criticals)
- ethers v5 -> 6.16.0 (BREAKING API change in a published library — needs code migration)
- jest-junit -> 17.0.0

Verified by CI. (Repo tracks both package-lock.json and yarn.lock; only package-lock.json updated.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@karlkeppner1 karlkeppner1 requested a review from jiujiteiro June 9, 2026 17:43
jiujiteiro
jiujiteiro reviewed Jun 12, 2026
View reviewed changes

@jiujiteiro jiujiteiro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@karlkeppner1 is this supposed to be just the lockfile?

@karlkeppner1

karlkeppner1 commented Jun 12, 2026

Copy link
Copy Markdown
Author

@jiujiteiro yes — intentional. This PR is the non-breaking pass only: npm audit fix (without --force) just rewrites package-lock.json to pull semver-compatible patched versions of transitive deps, so there are no package.json changes.

The remaining advisories all require major upgrades that I deliberately left out of a deps-sweep PR because they need real migration + review:

  • lerna → 9 (dev/publish tooling — drives the @lerna/, @octokit/, git-* chain incl. a couple criticals)
  • ethers v5 → v6 (breaking API change in a published library)
  • jest-junit → 17

Want me to open a separate PR for the ethers v5 → v6 migration (and/or the lerna bump), or leave those for a deliberate upgrade?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiujiteiro jiujiteiro jiujiteiro left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karlkeppner1 @jiujiteiro