Skip to content

chore: batch dependabot updates 2026-06-08#3488

Open
svidgen wants to merge 42 commits into
mainfrom
chore/dependabot-batch-2026-06-08
Open

chore: batch dependabot updates 2026-06-08#3488
svidgen wants to merge 42 commits into
mainfrom
chore/dependabot-batch-2026-06-08

Conversation

@svidgen

@svidgen svidgen commented Jun 8, 2026

Copy link
Copy Markdown
Member

Batch Dependabot Dependency Updates (2026-06-08)

This PR consolidates the following dependabot dependency updates into a single PR:

Included Updates (18/18)

  • ✅ basic-ftp → 5.2.1
  • ✅ diff → 4.0.4
  • ✅ flatted → 3.4.2
  • ✅ handlebars → 4.7.9
  • ✅ lodash → 4.17.23
  • ✅ lodash-es → 4.18.1
  • ✅ fast-xml-parser → 5.3.8 (packages/amplify-graphql-api-construct)
  • ✅ ajv → 8.18.0 (packages/graphql-transformers-e2e-tests/resources/jsonServer)
  • ✅ minimatch → 3.1.5 (packages/graphql-transformers-e2e-tests/resources/jsonServer)
  • ✅ lodash → 4.18.1 (packages/graphql-transformers-e2e-tests/resources/jsonServer/src-server)
  • ✅ axios → 1.13.5 (scripts)
  • ✅ diff → 4.0.4 (scripts)
  • ✅ minimatch → 9.0.9 (scripts)
  • ✅ @smithy/config-resolver → 4.4.5 (scripts)
  • ✅ @smithy/config-resolver → 4.4.0
  • ✅ tar-fs → 2.1.4
  • ✅ @xmldom/xmldom → 0.8.12
  • ✅ yauzl → 3.2.1

Skipped (conflicts)

None — all branches merged successfully.

Notes

dependabot Bot and others added 30 commits September 26, 2025 19:50
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4.
- [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: tar-fs
  dependency-version: 2.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4.
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 4.1.3 to 4.4.5.
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.5/packages/config-resolver)

---
updated-dependencies:
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) from 3.0.13 to 4.4.0.
- [Release notes](https://github.com/smithy-lang/smithy-typescript/releases)
- [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md)
- [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.0/packages/config-resolver)

---
updated-dependencies:
- dependency-name: "@smithy/config-resolver"
  dependency-version: 4.4.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 4.0.4.
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.3.6 to 5.3.8.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.8)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.3.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [axios](https://github.com/axios/axios) from 1.12.0 to 1.13.5.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.12.0...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.12.0 to 8.18.0.
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v8.12.0...v8.18.0)

---
updated-dependencies:
- dependency-name: ajv
  dependency-version: 8.18.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 9.0.5 to 9.0.9.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v9.0.5...v9.0.9)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 9.0.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [yauzl](https://github.com/thejoshwolfe/yauzl) from 3.2.0 to 3.2.1.
- [Commits](thejoshwolfe/yauzl@3.2.0...3.2.1)

---
updated-dependencies:
- dependency-name: yauzl
  dependency-version: 3.2.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9.
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

---
updated-dependencies:
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.10 to 0.8.12.
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.8.10...0.8.12)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.0 to 5.2.1.
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.2.1)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.2.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…p-5.2.1' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	package.json
#	yarn.lock
….4' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	yarn.lock
…3.4.2' into chore/dependabot-batch-2026-06-08
…rs-4.7.9' into chore/dependabot-batch-2026-06-08
….17.23' into chore/dependabot-batch-2026-06-08
…s-4.18.1' into chore/dependabot-batch-2026-06-08
…/amplify-graphql-api-construct/fast-xml-parser-5.3.8' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	packages/amplify-graphql-api-construct/package.json
…/graphql-transformers-e2e-tests/resources/jsonServer/ajv-8.18.0' into chore/dependabot-batch-2026-06-08
svidgen added 10 commits June 8, 2026 14:49
…/graphql-transformers-e2e-tests/resources/jsonServer/minimatch-3.1.5' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	packages/graphql-transformers-e2e-tests/resources/jsonServer/yarn.lock
…/graphql-transformers-e2e-tests/resources/jsonServer/src-server/lodash-4.18.1' into chore/dependabot-batch-2026-06-08
…axios-1.13.5' into chore/dependabot-batch-2026-06-08
…diff-4.0.4' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	scripts/yarn.lock
…minimatch-9.0.9' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	scripts/yarn.lock
…smithy/config-resolver-4.4.5' into chore/dependabot-batch-2026-06-08

# Conflicts:
#	scripts/yarn.lock
…onfig-resolver-4.4.0' into chore/dependabot-batch-2026-06-08
….1.4' into chore/dependabot-batch-2026-06-08
…mldom-0.8.12' into chore/dependabot-batch-2026-06-08
@svidgen svidgen requested review from a team as code owners June 8, 2026 19:50
svidgen added 2 commits June 8, 2026 15:45
… deps

The dependabot fast-xml-parser branch was based on an older version of main,
causing version downgrades and broken internal workspace references. This commit:
- Restores api-construct package.json to main's versions
- Preserves the legitimate @smithy/config-resolver ^4.4.0 upgrade
- Adds newly required transitive deps: @nodable/entities, xml-naming,
  @aws-sdk/signature-v4-multi-region, @aws-sdk/middleware-websocket
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants