Skip to content

chore: dependency updates#7767

Open
Steve-Mcl wants to merge 2 commits into
mainfrom
chore-high-deps
Open

chore: dependency updates#7767
Steve-Mcl wants to merge 2 commits into
mainfrom
chore-high-deps

Conversation

@Steve-Mcl

Copy link
Copy Markdown
Contributor

Description

Update transitive deps

Bumps a set of transitive dependencies up to their fixed lines via npm overrides. All changes are scoped to package.json + package-lock.json - no source changes.

Every affected package is a transitive dependency (none are declared directly), so the fixes are applied through overrides rather than direct version bumps.

What changed

Package Result
serialize-javascript 6.0.2 → 7.0.7 (two copies deduped onto one)
minimatch 9.0.1 → 9.0.9
uuid 8.3.2 / 9.0.1 → 11.1.1
vite 6.4.2 → 6.4.3
"overrides": {
    "serialize-javascript@<7.0.7": "7.0.7",
    "minimatch@>=9 <9.0.9": "9.0.9",
    "uuid@8": "11.1.1",
    "uuid@9": "11.1.1",
    "vite": "6.4.3"
}

Why these choices

Surgical, version-scoped keys where possible. serialize-javascript and minimatch use range-keyed overrides (@<7.0.7, @>=9 <9.0.9) so only the scoped copies are rewritten. The already-patched copies in the tree (e.g. the nine minimatch@10.x instances, serialize-javascript@7.0.5) are left untouched. This results in minimal lockfile churn minimal.

uuid pinned to 11.1.1, not the latest 14. uuid 13/14 are effectively ESM-only for the require() path and require node ^20.19 || >=22.12. Our runtime consumer, sequelize, loads uuid via CommonJS (require("uuid").v1/.v4), and our engines field allows node >=20.10.0. uuid 11.1.1 is the lowest fixed line that still ships a genuine CommonJS build (via the require export condition), so it works across our entire supported Node range. The uuid@8 / uuid@9 keys target the transitive copies (sequelize, sockjs, @sentry/webpack-plugin) without colliding with our direct uuid@^14 dependency.

vite held at 6.4.3 (not 7/8). vite ≥7 requires node ^20.19 || >=22.12, which would break our engines: node >=20.10.0 on the dev/test toolchain. 6.4.3 is the patched release that stays compatible. It's pinned as a blanket override rather than a range-keyed one because vite is a peer dependency of @vitejs/plugin-vue and vitest; a range-keyed override there trips an ERESOLVE peer conflict, whereas an exact pin keeps every vite edge in agreement. NOTE the peer dep supports v4, v5, v6, v7 and v8 so a blanket override is not an issue here.

Pinned exact (no ^/~). Overrides force a version tree-wide, so they're pinned to avoid silent drift on the next npm install / dependabot regeneration. If a pin causes issues later, it's a one-line change to relax.

Validation

  • npm install resolves cleanly (no ERESOLVE).
  • Lockfile diff is limited to the six target entries plus two removals (randombytes, the duplicate serialize-javascript@7.0.5) -no unrelated transitive drift.
  • Smoke-tested the one runtime-affecting change: sequelize defining and creating a UUIDV4-default model against uuid 11.1.1.

Follow-up

jsonata is also flagged but is intentionally not addressed here. It will be handled separately in the nr-launcher once Node-RED is updated in and flowfuse (#7765).

Related Issue(s)

dependency updates

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.39%. Comparing base (cababe3) to head (aa6381b).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #7767   +/-   ##
=======================================
  Coverage   75.39%   75.39%           
=======================================
  Files         428      428           
  Lines       22540    22540           
  Branches     5945     5945           
=======================================
  Hits        16994    16994           
  Misses       5546     5546           
Flag Coverage Δ
backend 75.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@hardillb hardillb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like using overrides, but if it clears the old CVEs then so be it.

@Steve-Mcl

Steve-Mcl commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

I don't like using overrides, but if it clears the old CVEs then so be it.

I dont disagree. It creates a maintenance burden (i.e. we need to check & remove as new updates arrive) but there is no other way to update transient dependencies. To mitigate this, I did tightly scoped (where possible) (some could not be so tight due to peer deps)

The alternative is we live with wayward transient issues until the parent of those transients update.

Lets get @knolleary take before we merge.

Alternatively, we hold until Eng Meeting?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants