chore(deps): bump diff from 4.0.2 to 4.0.4 in /examples/launchtube-plugin-example/launchtube#711
Conversation
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) --- updated-dependencies: - dependency-name: diff dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependabot
dependencies
dependabot
Bot
added
dependencies
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- examples/launchtube-plugin-example/launchtube/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| overrides: | ||
| axios@>=1.0.0 <1.12.0: '>=1.12.0' | ||
| axios@>=1.0.0 <=1.13.4: '>=1.13.5' | ||
|
|
There was a problem hiding this comment.
This lockfile no longer contains the overrides section that pins axios to patched versions. Other pnpm lockfiles in the repo still include these axios overrides (e.g. plugins/pnpm-lock.yaml and examples/basic-example-plugin/test-plugin/pnpm-lock.yaml), so dropping them here could allow future installs/lock regenerations to resolve an older vulnerable axios range. Consider restoring the overrides for consistency and to keep the security constraint in place (ideally sourced from the same place as the other lockfiles).
| overrides: | |
| axios: | |
| version: 1.7.7 |
| diff@4.0.2: | ||
| resolution: {integrity: sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==} | ||
| engines: {node: '>=0.3.1'} |
There was a problem hiding this comment.
PR metadata says diff is bumped to 4.0.4, but this lockfile still pins diff@4.0.2 in the packages section. If the goal is to apply the security backport in 4.0.4, the lockfile should be updated so resolution uses 4.0.4 instead of 4.0.2.
| diff-sequences@29.6.3: {} | ||
|
|
||
| diff@4.0.2: {} | ||
|
|
There was a problem hiding this comment.
The snapshots section still contains diff@4.0.2, which also contradicts the stated bump to 4.0.4. Please ensure both the package entry and snapshot are updated to 4.0.4 so installs actually pick up the patched version.
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/examples/launchtube-plugin-example/launchtube/diff-4.0.4
branch
Bumps diff from 4.0.2 to 4.0.4.
Changelog
Sourced from diff's changelog.
Commits
f06f3e4v4.0.40179a48v4.0.34568caeBackport kpdecker/jsdiff#6494de0ffaBackport kpdecker/jsdiff#647Maintainer changes
This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.