chore(deps): bump js-yaml from 3.14.1 to 3.14.2 in /examples/launchtube-plugin-example/launchtube#708
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependabot
dependencies
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- examples/launchtube-plugin-example/launchtube/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| js-yaml@3.14.1: | ||
| resolution: {integrity: sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==} | ||
| hasBin: true |
There was a problem hiding this comment.
This lockfile update does not actually bump js-yaml to 3.14.2 as stated in the PR title/description—js-yaml@3.14.1 is still resolved here (and in the snapshots section). Please re-run the update so the resolved version becomes 3.14.2 (e.g., adjust the dependency constraint/overrides or run a targeted pnpm update so the lockfile picks up 3.14.2).
| overrides: | ||
| axios@>=1.0.0 <1.12.0: '>=1.12.0' | ||
| axios@>=1.0.0 <=1.13.4: '>=1.13.5' | ||
|
|
There was a problem hiding this comment.
The overrides block forcing patched axios versions was removed from this lockfile. Since other pnpm lockfiles in the repo still carry these overrides, dropping them here can allow future installs/resolution changes to bring back vulnerable axios versions. Please restore the overrides (ideally sourced from the same place as the other examples) so this example remains aligned with the repo’s dependency security constraints.
| overrides: | |
| axios: ^1.7.4 |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/examples/launchtube-plugin-example/launchtube/js-yaml-3.14.2
branch
Bumps js-yaml from 3.14.1 to 3.14.2.
Changelog
Sourced from js-yaml's changelog.
... (truncated)
Commits
9963d363.14.2 released10d3c8edist rebuild5278870fix prototype pollution in merge (<<) (#731)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.