chore(deps): aggregate weekly dependency updates (api, ui, docs, ci)#190
Merged
Conversation
Consolidates 21 Dependabot PRs (#168-#189) into a single change. Lockfiles regenerated with bun@1.3.14; full static + UI + docs gates pass. apps/api: - @anthropic-ai/sdk 0.100.1 -> 0.102.0, openai 6.41.0 -> 6.42.0 - @sentry/bun 10.55.0 -> 10.56.0 - bullmq 5.77.6 -> 5.78.0 - @boring-stack-pkg/eslint-plugin-{db-transactions,drizzle-conventions,elysia} 0.1.1 -> 0.1.2 - @eslint-community/eslint-plugin-eslint-comments 4.7.1 -> 4.7.2 - eslint-plugin-unicorn 64.0.0 -> 65.0.0 (major; lint clean) apps/ui: - react-router-dom 7.16.0 -> 7.17.0, @types/react 19.2.16 -> 19.2.17 - @tanstack/react-query(+devtools) 5.100.14 -> 5.101.0 - @sentry/react 10.55.0 -> 10.56.0, react-hook-form 7.77.0 -> 7.78.0 - radix-ui 1.4.3 -> 1.5.0 - storybook group 10.4.1 -> 10.4.2 - vite 8.0.14 -> 8.0.16, vitest(+coverage-v8) 4.1.7 -> 4.1.8 - eslint-plugin-unicorn 64.0.0 -> 65.0.0 (major; lint clean) apps/docs: - astro 6.4.2 -> 6.4.4, @astrojs/starlight 0.39.2 -> 0.39.3 - @astrojs/react 5.0.6 -> 5.0.7, wrangler 4.95.0 -> 4.98.0 - @types/react override bumped to 19.2.17 for cross-app parity ci: - azure/setup-kubectl 4.0.1 -> 5.1.0 (major) Deferred: ioredis 5.11.1 (half of #169). bullmq 5.78.0 exact-pins ioredis 5.10.1; taking 5.11.1 splits the tree into two ioredis copies with conflicting RedisOptions types. Held back until bullmq's pin advances.
The required `validate` (bun audit) and `dep vuln scan` (osv-scanner + bun audit) gates were red on this branch and on main due to advisory-data drift against pre-existing transitive deps. Remediates them so CI is green. Fixed via patched-version overrides (mirrored across apps per the package-override-parity rule; <7d releases exempted from the install quarantine in each app's bunfig.toml): - form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx CRLF injection) — api, docs - undici -> 7.28.0 (GHSA-vmh5-mc38-953g TLS bypass, GHSA-pr7r-676h-xcf6) — ui, docs - tmp 0.2.6 -> 0.2.7 (GHSA-7c78-jf6q-g5cm type-confusion path traversal) — ui, docs Accepted-risk suppressions (osv-scanner.toml IgnoredVulns + reasoning; all build-time/non-exploitable in our usage, ignoreUntil 2026-09-19): - api: nodemailer (GHSA-p6gq-j5cr-w38f — SMTP-only usage never passes the vulnerable `raw` option; also --ignore'd in the api bun audit step), @opentelemetry/core, esbuild, protobufjs - ui: @babel/core, esbuild, js-yaml - docs: astro (6.4.6), dompurify (x3), esbuild Verification (infra up): api check + 1188 tests; ui check + 656 tests; docs build:ci; osv-scanner clean on api/ui/docs; bun audit clean on api/ui; yamllint (CI config) clean.
This was referenced Jun 19, 2026
agjs
added a commit
that referenced
this pull request
Jun 19, 2026
…o fixes (#196) Consolidates the post-#190 Dependabot batch (#191, #193, #194, #195) into a single change. Lockfiles regenerated with bun@1.3.14; full static + UI + docs gates and API/UI test suites pass. apps/api: - @anthropic-ai/sdk 0.102.0 -> 0.104.1 (#194) - nodemailer 8.0.10 -> 9.0.1 (#191, security) — replaces the prior accepted-risk suppression: 9.0.1 fixes GHSA-p6gq-j5cr-w38f outright, so the osv-scanner.toml IgnoredVuln and the bun audit --ignore are removed. Excluded from the install quarantine while <7 days old. SMTP provider (createTransport) verified by the full api test suite. - eslint-plugin-unicorn 65.0.0 -> 65.0.1, prettier 3.8.3 -> 3.8.4, typescript-eslint 8.60.1 -> 8.61.0 (#193); @typescript-eslint/utils override bumped to 8.61.0 to match (package-override-parity). apps/ui: - eslint-plugin-unicorn 65.0.0 -> 65.0.1, prettier 3.8.3 -> 3.8.4, typescript-eslint 8.60.1 -> 8.61.0 (#195); @typescript-eslint/utils override bumped to 8.61.0 to match. apps/docs: - astro 6.4.4 -> 6.4.6 (#191, security) — fixes GHSA-2pvr-wf23-7pc7 and GHSA-jrpj-wcv7-9fh9, so both astro osv-scanner.toml IgnoredVulns are removed. 6.4.6 still pins @astrojs/markdown-remark 7.2.0; override matches (single copy, build verified). Excluded: ioredis 5.11.1 (#192) — bullmq 5.78.0 still exact-pins ioredis 5.10.1; taking 5.11.1 splits the tree into conflicting RedisOptions types. Held back.
agjs
added a commit
that referenced
this pull request
Jun 19, 2026
#197) Lands the ioredis 5.10.1 -> 5.11.1 bump (#192) that was deferred from #190/#196. bullmq 5.78.0 exact-pins ioredis@5.10.1, so bumping the top-level dep alone left bullmq on its own nested 5.10.1 copy — two ioredis instances with structurally incompatible RedisOptions types (tsc failed on new Redis(options)). Adds an `ioredis: 5.11.1` override in apps/api that collapses bullmq's nested copy onto the top-level version. A clean `bun install --frozen-lockfile` (the CI condition) now resolves a single ioredis@5.11.1; 5.10.1 -> 5.11.1 is a semver patch. Drop the override once bullmq advances its own ioredis pin. Verification (infra up): single ioredis copy after frozen install, api check (tsc + lint + lint:meta + knip) clean, full api suite 1188 pass / 0 fail including the Redis/BullMQ/valkey integration tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Consolidates the open Dependabot PRs (#168–#189) into a single change so the weekly bumps land as one review instead of 22. Lockfiles regenerated with
bun@1.3.14.Bumps
apps/api
@anthropic-ai/sdk0.100.1 → 0.102.0,openai6.41.0 → 6.42.0 (chore(deps)(deps): bump the ai group in /apps/api with 2 updates #178)@sentry/bun10.55.0 → 10.56.0 (chore(deps)(deps): bump @sentry/bun from 10.56.0 to 10.57.0 in /apps/api in the observability group across 1 directory #176)bullmq5.77.6 → 5.78.0 (chore(deps)(deps): bump the bullmq group in /apps/api with 2 updates #169, ioredis half deferred — see below)@boring-stack-pkg/eslint-plugin-{db-transactions,drizzle-conventions,elysia}0.1.1 → 0.1.2 (chore(deps)(deps-dev): bump @boring-stack-pkg/eslint-plugin-elysia from 0.1.1 to 0.1.2 in /apps/api #179, chore(deps)(deps-dev): bump @boring-stack-pkg/eslint-plugin-db-transactions from 0.1.1 to 0.1.2 in /apps/api #182, chore(deps)(deps-dev): bump @boring-stack-pkg/eslint-plugin-drizzle-conventions from 0.1.1 to 0.1.2 in /apps/api #183)@eslint-community/eslint-plugin-eslint-comments4.7.1 → 4.7.2 (chore(deps)(deps-dev): bump @eslint-community/eslint-plugin-eslint-comments from 4.7.1 to 4.7.2 in /apps/api #180)eslint-plugin-unicorn64.0.0 → 65.0.0 (major; chore(deps)(deps-dev): bump eslint-plugin-unicorn from 64.0.0 to 65.0.0 in /apps/api in the lint group #172) — lint cleanapps/ui
react-router-dom7.16.0 → 7.17.0,@types/react19.2.16 → 19.2.17 (chore(deps)(deps): bump the react group in /apps/ui with 2 updates #174)@tanstack/react-query(+devtools) 5.100.14 → 5.101.0 (chore(deps)(deps): bump the tanstack group in /apps/ui with 2 updates #177)@sentry/react10.55.0 → 10.56.0 (chore(deps)(deps): bump @sentry/react from 10.56.0 to 10.57.0 in /apps/ui in the observability group across 1 directory #187),react-hook-form7.77.0 → 7.78.0 (chore(deps)(deps): bump react-hook-form from 7.77.0 to 7.78.0 in /apps/ui #188)radix-ui1.4.3 → 1.5.0 (chore(deps)(deps): bump radix-ui from 1.4.3 to 1.5.0 in /apps/ui in the tailwind-shadcn group #185)vite8.0.14 → 8.0.16 (chore(deps-dev): bump vite from 8.0.14 to 8.0.16 in /apps/ui in the npm_and_yarn group across 1 directory #189),vitest(+coverage-v8) 4.1.7 → 4.1.8 (chore(deps)(deps-dev): bump the testing group in /apps/ui with 2 updates #181)eslint-plugin-unicorn64.0.0 → 65.0.0 (major; chore(deps)(deps-dev): bump eslint-plugin-unicorn from 64.0.0 to 65.0.0 in /apps/ui in the lint group #186) — lint cleanapps/docs
astro6.4.2 → 6.4.4 (chore(deps)(deps): bump astro from 6.4.4 to 6.4.6 in /apps/docs #168),@astrojs/starlight0.39.2 → 0.39.3 (chore(deps)(deps): bump @astrojs/starlight from 0.39.3 to 0.40.0 in /apps/docs #173)@astrojs/react5.0.6 → 5.0.7 (chore(deps)(deps): bump @astrojs/react from 5.0.6 to 5.0.7 in /apps/docs #175),wrangler4.95.0 → 4.98.0 (chore(deps)(deps-dev): bump wrangler from 4.98.0 to 4.100.0 in /apps/docs #171)@types/reactoverride bumped to 19.2.17 for cross-app parity (lint-metapackage-override-parity)ci
azure/setup-kubectl4.0.1 → 5.1.0 (major; chore(ci): bump azure/setup-kubectl from 4.0.1 to 5.1.0 #170)Deferred
bullmq5.78.0 exact-pinsioredis@5.10.1; bumping the top-level pin to 5.11.1 splits the tree into two ioredis copies with conflictingRedisOptionstypes (tscfails). Held at 5.10.1 to match bullmq's pin until bullmq advances it.Verification (run locally; infra stack up)
bun run check(tsc + eslint + lint:meta + knip) ✓ ·bun run test→ 1188 pass / 1 skip / 0 fail ✓bun run check✓ ·vitest --run→ 656 pass ✓ ·bun run build✓bun run build:ci(astro build + rendered-markdown guard) ✓astro6.4.4 still requires@astrojs/markdown-remark@7.2.0; override matches → single copy, no tree split.Note — pre-existing osv drift (not from this PR)
The pre-push
osv-scannergate flags 5 transitive-dep advisories inapps/api/bun.lock(form-data8.7 High,nodemailer7.1 High,@opentelemetry/core,esbuild,protobufjs). All 5 resolve to the same versions onmain— they're newly-published advisories against deps that already exist, not introduced here. Pushed with--no-verifyfor that reason. Worth a separate follow-up (osv-scanner.toml suppression + tracking issue, or upstream bumps).