Skip to content

chore(deps): minor and patch dependency updates#3509

Closed
svidgen wants to merge 1 commit into
mainfrom
chore/dep-update-2026-07-06
Closed

chore(deps): minor and patch dependency updates#3509
svidgen wants to merge 1 commit into
mainfrom
chore/dep-update-2026-07-06

Conversation

@svidgen

@svidgen svidgen commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Minor and patch dependency updates for non-AWS-SDK packages across the monorepo.

Changes

Root package.json

  • Build tooling: @babel/* (7.10->7.29), typescript (4.5->4.9)
  • Testing: jest/jest-circus (29.0->29.7), ts-jest (29.0->29.4)
  • Linting: eslint (8.40->8.57), eslint-plugin-* packages
  • Other: lerna (5.1->5.6), lint-staged (15.2->15.5), js-yaml (4.1->4.3)

Workspace packages

  • graphql (15.5->15.10)
  • @types/node (24.0->24.13)
  • immer (9.0.12->9.0.21)
  • lodash (4.17->4.18)
  • libphonenumber-js (1.9->1.13)
  • Database drivers: mysql2 (3.9->3.22), pg (8.11->8.22), knex (2.4->2.5)
  • mock-fs (5.2->5.5), md5 (2.2->2.3)

Intentionally excluded

Testing

  • yarn build -- all 27 packages built successfully
  • yarn test -- all 25 packages' unit tests pass
  • E2E tests (CodeBuild) -- pending (need manual trigger or CI re-run)

Coordination

This PR is designed to not conflict with:

Dependabot PRs superseded by this PR

The following PRs can be closed once this merges (updates are equal or higher):

PR Package Dependabot target Our version Status
#3465 basic-ftp 5.2.0->5.2.1 6.0.1 (resolved) Superseded
#3457 lodash-es 4.17.21->4.18.1 4.18.1 (resolved) Superseded
#3455 @xmldom/xmldom 0.8.10->0.8.12 0.9.10 (resolved) Superseded
#3450 handlebars 4.7.8->4.7.9 4.7.9 (resolved) Superseded
#3442 flatted 3.3.3->3.4.2 3.4.2 (resolved) Superseded
#3402 lodash 4.17.21->4.17.23 ^4.18.1 = 4.18.1 Superseded
#3398 diff (root) 4.0.2->4.0.4 ^8.0.3 = 8.0.3 (resolution) Superseded
#3348 tar-fs 2.1.3->2.1.4 3.1.1 (resolved) Superseded
#3488 (batch Jun 8) multiple older subset of this PR Superseded (stale)

NOT superseded (target sub-directories with separate lock files, or unrelated):

Updated non-AWS-SDK dependencies to latest minor/patch versions:

Root package.json:
- @babel/* packages (7.10.x → 7.29.x)
- @commitlint/* packages (16.2.x → 16.3.x)
- @types/jest (29.0.0 → 29.5.14)
- eslint and eslint-plugin-* packages
- jest, jest-circus (29.0.0 → 29.7.0)
- ts-jest (29.0.0 → 29.4.11)
- typescript (4.5.5 → 4.9.5)
- lint-staged (15.2.0 → 15.5.2)
- js-yaml (4.1.1 → 4.3.0)
- lerna (5.1.6 → 5.6.2)

Workspace packages:
- graphql (15.5.0 → 15.10.2)
- @types/node (24.0.0 → 24.13.2)
- immer (9.0.12 → 9.0.21)
- lodash (4.17.23 → 4.18.1)
- libphonenumber-js (1.9.47 → 1.13.8)
- glob (10.3.0 → 10.5.0)
- mysql2 (3.9.7 → 3.22.5)
- pg (8.11.3 → 8.22.0)
- knex (2.4.0 → 2.5.1)
- mock-fs (5.2.0 → 5.5.0)
- md5 (2.2.1 → 2.3.0)

Excluded from this update:
- @aws-sdk/* and @smithy/* (handled by PR #3508)
- fast-xml-parser (pinned intentionally)
- aws-cdk-lib, constructs (handled by PR #3505)
- axios, uuid, tmp, cookie, etc. (handled by PRs #3492/#3505)
- @microsoft/api-extractor (kept at 7.43.8 for stability)
@svidgen svidgen requested a review from a team as a code owner July 7, 2026 02:47
@svidgen

svidgen commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

Dependency overlap analysis

Build/test status on chore/dep-update-2026-07-06:

  • yarn install --frozen-lockfile -- OK
  • yarn build -- 27/27 packages pass
  • yarn test -- 25/25 packages pass
  • No merge conflicts with main

PRs that can be closed once this PR merges:

These dependabot PRs are fully superseded by #3509 (we update to equal or higher versions):

PRs NOT superseded (keep open):

Conflict with #3508:

Both PRs touch package.json (but in different sections) and yarn.lock. The @aws-sdk/core resolution line in package.json may conflict textually. Recommend merging #3508 first, then rebasing this PR.

@svidgen

svidgen commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

Closing — Simone has #3505 covering dependabot vulns on this repo. Will coordinate rather than conflict.

@svidgen svidgen closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant