chore: dependency updates#7767
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7767 +/- ##
=======================================
Coverage 75.39% 75.39%
=======================================
Files 428 428
Lines 22540 22540
Branches 5945 5945
=======================================
Hits 16994 16994
Misses 5546 5546
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
hardillb
left a comment
There was a problem hiding this comment.
I don't like using overrides, but if it clears the old CVEs then so be it.
I dont disagree. It creates a maintenance burden (i.e. we need to check & remove as new updates arrive) but there is no other way to update transient dependencies. To mitigate this, I did tightly scoped (where possible) (some could not be so tight due to peer deps) The alternative is we live with wayward transient issues until the parent of those transients update. Lets get @knolleary take before we merge. Alternatively, we hold until Eng Meeting? |
Description
Update transitive deps
Bumps a set of transitive dependencies up to their fixed lines via npm
overrides. All changes are scoped topackage.json+package-lock.json- no source changes.Every affected package is a transitive dependency (none are declared directly), so the fixes are applied through
overridesrather than direct version bumps.What changed
Why these choices
Surgical, version-scoped keys where possible.
serialize-javascriptandminimatchuse range-keyed overrides (@<7.0.7,@>=9 <9.0.9) so only the scoped copies are rewritten. The already-patched copies in the tree (e.g. the nineminimatch@10.xinstances,serialize-javascript@7.0.5) are left untouched. This results in minimal lockfile churn minimal.uuid pinned to 11.1.1, not the latest 14. uuid 13/14 are effectively ESM-only for the
require()path and requirenode ^20.19 || >=22.12. Our runtime consumer,sequelize, loads uuid via CommonJS (require("uuid").v1/.v4), and ourenginesfield allowsnode >=20.10.0. uuid 11.1.1 is the lowest fixed line that still ships a genuine CommonJS build (via therequireexport condition), so it works across our entire supported Node range. Theuuid@8/uuid@9keys target the transitive copies (sequelize, sockjs, @sentry/webpack-plugin) without colliding with our directuuid@^14dependency.vite held at 6.4.3 (not 7/8). vite ≥7 requires
node ^20.19 || >=22.12, which would break ourengines: node >=20.10.0on the dev/test toolchain. 6.4.3 is the patched release that stays compatible. It's pinned as a blanket override rather than a range-keyed one because vite is a peer dependency of@vitejs/plugin-vueandvitest; a range-keyed override there trips anERESOLVEpeer conflict, whereas an exact pin keeps every vite edge in agreement. NOTE the peer dep supports v4, v5, v6, v7 and v8 so a blanket override is not an issue here.Pinned exact (no
^/~). Overrides force a version tree-wide, so they're pinned to avoid silent drift on the nextnpm install/ dependabot regeneration. If a pin causes issues later, it's a one-line change to relax.Validation
npm installresolves cleanly (noERESOLVE).randombytes, the duplicateserialize-javascript@7.0.5) -no unrelated transitive drift.sequelizedefining and creating aUUIDV4-default model against uuid 11.1.1.Follow-up
jsonatais also flagged but is intentionally not addressed here. It will be handled separately in the nr-launcher once Node-RED is updated in and flowfuse (#7765).Related Issue(s)
dependency updates
Checklist
flowforge.yml?FlowFuse/helmto update ConfigMap TemplateFlowFuse/CloudProjectto update values for Staging/ProductionLabels
area:migrationlabel