chore: batch dependabot updates 2026-05-15#3483
Closed
svidgen wants to merge 45 commits into
Closed
Conversation
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) --- updated-dependencies: - dependency-name: diff dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 4.1.3 to 4.4.5. - [Release notes](https://github.com/smithy-lang/smithy-typescript/releases) - [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md) - [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.5/packages/config-resolver) --- updated-dependencies: - dependency-name: "@smithy/config-resolver" dependency-version: 4.4.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 3.0.13 to 4.4.0. - [Release notes](https://github.com/smithy-lang/smithy-typescript/releases) - [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md) - [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.0/packages/config-resolver) --- updated-dependencies: - dependency-name: "@smithy/config-resolver" dependency-version: 4.4.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4. - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) --- updated-dependencies: - dependency-name: diff dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.6 to 5.3.8. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.8) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.3.8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…phql-api-construct/fast-xml-parser-5.3.8
Bumps [axios](https://github.com/axios/axios) from 1.12.0 to 1.13.5. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.12.0...v1.13.5) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.12.0 to 8.18.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.12.0...v8.18.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 9.0.5 to 9.0.9. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v9.0.5...v9.0.9) --- updated-dependencies: - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [yauzl](https://github.com/thejoshwolfe/yauzl) from 3.2.0 to 3.2.1. - [Commits](thejoshwolfe/yauzl@3.2.0...3.2.1) --- updated-dependencies: - dependency-name: yauzl dependency-version: 3.2.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.10 to 0.8.12. - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](xmldom/xmldom@0.8.10...0.8.12) --- updated-dependencies: - dependency-name: "@xmldom/xmldom" dependency-version: 0.8.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.0 to 5.2.1. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.2.1) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.2.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…p-5.2.1' into chore/dependabot-batch-2026-05-15 # Conflicts: # package.json # yarn.lock
…/graphql-transformers-e2e-tests/resources/jsonServer/src-server/lodash-4.18.1' into chore/dependabot-batch-2026-05-15
…s-4.18.1' into chore/dependabot-batch-2026-05-15
…mldom-0.8.12' into chore/dependabot-batch-2026-05-15
…rs-4.7.9' into chore/dependabot-batch-2026-05-15
…3.4.2' into chore/dependabot-batch-2026-05-15
…2.1' into chore/dependabot-batch-2026-05-15
…minimatch-9.0.9' into chore/dependabot-batch-2026-05-15
…/amplify-graphql-api-construct/fast-xml-parser-5.3.8' into chore/dependabot-batch-2026-05-15 # Conflicts: # packages/amplify-graphql-api-construct/package.json
…/graphql-transformers-e2e-tests/resources/jsonServer/minimatch-3.1.5' into chore/dependabot-batch-2026-05-15
…/graphql-transformers-e2e-tests/resources/jsonServer/ajv-8.18.0' into chore/dependabot-batch-2026-05-15 # Conflicts: # packages/graphql-transformers-e2e-tests/resources/jsonServer/yarn.lock
…axios-1.13.5' into chore/dependabot-batch-2026-05-15 # Conflicts: # scripts/yarn.lock
….17.23' into chore/dependabot-batch-2026-05-15 # Conflicts: # yarn.lock
…diff-4.0.4' into chore/dependabot-batch-2026-05-15 # Conflicts: # scripts/yarn.lock
….4' into chore/dependabot-batch-2026-05-15
…smithy/config-resolver-4.4.5' into chore/dependabot-batch-2026-05-15
…onfig-resolver-4.4.0' into chore/dependabot-batch-2026-05-15
….1.4' into chore/dependabot-batch-2026-05-15
Add @nodable/entities, fast-xml-builder, path-expression-matcher, xml-naming, json-schema-to-ts, @babel/runtime, regenerator-runtime, ts-algebra to construct packages and nohoist config. Also fix graphql-transformer-test-utils version mismatch in api-construct.
The dependabot branch for @smithy/config-resolver was created from an older commit where the version was 1.21.0. When merged into the batch branch, it overwrote the correct version (1.21.3), causing lerna publish to calculate a next version (1.21.1) that already has a git tag. This results in the version resolving to 'undefined' during publish_to_local_registry.
The dependabot batch merge regressed the package version from 1.21.3 to 1.21.0 because the dependabot branches were based on an older state of main. This caused lerna publish to resolve the version as 'undefined' since the tag @aws-amplify/graphql-api-construct@1.21.0 already exists. Restore package.json from main and re-apply only the legitimate changes: - @smithy/config-resolver bump to ^4.4.0 - New transitive deps for construct bundling (@nodable/entities, fast-xml-builder, path-expression-matcher, xml-naming)
The dependabot bump from @smithy/config-resolver ^3.0.5 to ^4.4.0 is a breaking major version change incompatible with the other @smithy/* packages at 3.x. This causes deserialization errors in RDS-backed GraphQL operations (rds_pg_field_auth, rds_mysql_multi_auth tests).
Member
Author
|
Closing stale PR - e2e failed and superseded by new batch update PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Batch Dependabot Updates (2026-05-15)
This PR consolidates the following dependabot dependency updates into a single PR:
Included updates (18/18):
basic-ftp→ 5.2.1lodash(jsonServer/src-server) → 4.18.1lodash-es→ 4.18.1@xmldom/xmldom→ 0.8.12handlebars→ 4.7.9flatted→ 3.4.2yauzl→ 3.2.1minimatch(scripts) → 9.0.9fast-xml-parser(amplify-graphql-api-construct) → 5.3.8minimatch(jsonServer) → 3.1.5ajv(jsonServer) → 8.18.0axios(scripts) → 1.13.5lodash→ 4.17.23diff(scripts) → 4.0.4diff→ 4.0.4@smithy/config-resolver(scripts) → 4.4.5@smithy/config-resolver→ 4.4.0tar-fs→ 2.1.4Skipped (conflicts):
None — all branches merged successfully.
Notes