Skip to content

chore: batch dependabot updates 2026-05-15#3483

Closed
svidgen wants to merge 45 commits into
mainfrom
chore/dependabot-batch-2026-05-15
Closed

chore: batch dependabot updates 2026-05-15#3483
svidgen wants to merge 45 commits into
mainfrom
chore/dependabot-batch-2026-05-15

Conversation

@svidgen

@svidgen svidgen commented May 16, 2026

Copy link
Copy Markdown
Member

Batch Dependabot Updates (2026-05-15)

This PR consolidates the following dependabot dependency updates into a single PR:

Included updates (18/18):

  • basic-ftp → 5.2.1
  • lodash (jsonServer/src-server) → 4.18.1
  • lodash-es → 4.18.1
  • @xmldom/xmldom → 0.8.12
  • handlebars → 4.7.9
  • flatted → 3.4.2
  • yauzl → 3.2.1
  • minimatch (scripts) → 9.0.9
  • fast-xml-parser (amplify-graphql-api-construct) → 5.3.8
  • minimatch (jsonServer) → 3.1.5
  • ajv (jsonServer) → 8.18.0
  • axios (scripts) → 1.13.5
  • lodash → 4.17.23
  • diff (scripts) → 4.0.4
  • diff → 4.0.4
  • @smithy/config-resolver (scripts) → 4.4.5
  • @smithy/config-resolver → 4.4.0
  • tar-fs → 2.1.4

Skipped (conflicts):

None — all branches merged successfully.

Notes

  • Lock file conflicts were resolved by accepting the incoming (dependabot) version.
  • Package.json conflicts were resolved by accepting the incoming version bump.

dependabot Bot and others added 30 commits September 26, 2025 19:50
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4.
- [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: tar-fs
  dependency-version: 2.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4.
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 4.1.3 to 4.4.5.
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.5/packages/config-resolver)

---
updated-dependencies:
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 3.0.13 to 4.4.0.
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.0/packages/config-resolver)

---
updated-dependencies:
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4.
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.6 to 5.3.8.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.8)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [axios](https://github.com/axios/axios) from 1.12.0 to 1.13.5.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.12.0...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.12.0 to 8.18.0.
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v8.12.0...v8.18.0)

---
updated-dependencies:
- dependency-name: ajv
  dependency-version: 8.18.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 9.0.5 to 9.0.9.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [yauzl](https://github.com/thejoshwolfe/yauzl) from 3.2.0 to 3.2.1.
- [Commits](thejoshwolfe/yauzl@3.2.0...3.2.1)

---
updated-dependencies:
- dependency-name: yauzl
  dependency-version: 3.2.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9.
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

---
updated-dependencies:
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.10 to 0.8.12.
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.8.10...0.8.12)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.0 to 5.2.1.
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.2.1)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.2.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…p-5.2.1' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	package.json
#	yarn.lock
…/graphql-transformers-e2e-tests/resources/jsonServer/src-server/lodash-4.18.1' into chore/dependabot-batch-2026-05-15
…s-4.18.1' into chore/dependabot-batch-2026-05-15
…mldom-0.8.12' into chore/dependabot-batch-2026-05-15
…rs-4.7.9' into chore/dependabot-batch-2026-05-15
…3.4.2' into chore/dependabot-batch-2026-05-15
…minimatch-9.0.9' into chore/dependabot-batch-2026-05-15
svidgen added 10 commits May 15, 2026 19:53
…/amplify-graphql-api-construct/fast-xml-parser-5.3.8' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	packages/amplify-graphql-api-construct/package.json
…/graphql-transformers-e2e-tests/resources/jsonServer/minimatch-3.1.5' into chore/dependabot-batch-2026-05-15
…/graphql-transformers-e2e-tests/resources/jsonServer/ajv-8.18.0' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	packages/graphql-transformers-e2e-tests/resources/jsonServer/yarn.lock
…axios-1.13.5' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	scripts/yarn.lock
….17.23' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	yarn.lock
…diff-4.0.4' into chore/dependabot-batch-2026-05-15

# Conflicts:
#	scripts/yarn.lock
…smithy/config-resolver-4.4.5' into chore/dependabot-batch-2026-05-15
…onfig-resolver-4.4.0' into chore/dependabot-batch-2026-05-15
….1.4' into chore/dependabot-batch-2026-05-15
@svidgen svidgen requested review from a team as code owners May 16, 2026 00:53
svidgen added 5 commits May 15, 2026 20:20
Add @nodable/entities, fast-xml-builder, path-expression-matcher, xml-naming,
json-schema-to-ts, @babel/runtime, regenerator-runtime, ts-algebra to construct
packages and nohoist config. Also fix graphql-transformer-test-utils version
mismatch in api-construct.
The dependabot branch for @smithy/config-resolver was created from an
older commit where the version was 1.21.0. When merged into the batch
branch, it overwrote the correct version (1.21.3), causing lerna publish
to calculate a next version (1.21.1) that already has a git tag. This
results in the version resolving to 'undefined' during publish_to_local_registry.
The dependabot batch merge regressed the package version from 1.21.3 to
1.21.0 because the dependabot branches were based on an older state of
main. This caused lerna publish to resolve the version as 'undefined'
since the tag @aws-amplify/graphql-api-construct@1.21.0 already exists.

Restore package.json from main and re-apply only the legitimate changes:
- @smithy/config-resolver bump to ^4.4.0
- New transitive deps for construct bundling (@nodable/entities,
  fast-xml-builder, path-expression-matcher, xml-naming)
The dependabot bump from @smithy/config-resolver ^3.0.5 to ^4.4.0 is a
breaking major version change incompatible with the other @smithy/*
packages at 3.x. This causes deserialization errors in RDS-backed
GraphQL operations (rds_pg_field_auth, rds_mysql_multi_auth tests).
@svidgen

svidgen commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

Closing stale PR - e2e failed and superseded by new batch update PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants