chore(deps): bump lodash and @microsoft/api-extractor#3243
chore(deps): bump lodash and @microsoft/api-extractor#3243dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [lodash](https://github.com/lodash/lodash) to 4.18.1 and updates ancestor dependency [@microsoft/api-extractor](https://github.com/microsoft/rushstack/tree/HEAD/apps/api-extractor). These dependencies need to be updated together. Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) Updates `@microsoft/api-extractor` from 6.3.0 to 7.58.7 - [Changelog](https://github.com/microsoft/rushstack/blob/main/apps/api-extractor/CHANGELOG.md) - [Commits](https://github.com/microsoft/rushstack/commits/@microsoft/api-extractor_v7.58.7/apps/api-extractor) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect - dependency-name: "@microsoft/api-extractor" dependency-version: 7.58.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c80b8c8. Configure here.
| "@babel/preset-env": "^7.6.2", | ||
| "@bigcommerce/eslint-config": "^2.13.1", | ||
| "@microsoft/api-extractor": "^6.3.0", | ||
| "@microsoft/api-extractor": "^7.58.7", |
There was a problem hiding this comment.
api-extractor v6 config incompatible with v7 upgrade
High Severity
Bumping @microsoft/api-extractor from v6 to v7 is a major version change, but all existing config files (e.g. checkout-sdk.json, hosted-form-v2-iframe-content.json) and the dynamic config generator in auto-export.ts still use the v6 schema — with properties like compiler.configType, compiler.rootFolder, project.entryPointSourceFile, apiReviewFile, apiJsonFile, and validationRules. API Extractor v7 requires mainEntryPointFilePath and uses different property names (apiReport, docModel, compiler.tsconfigFilePath). The build-dts target will fail at runtime.
Reviewed by Cursor Bugbot for commit c80b8c8. Configure here.
|
Looks like these dependencies are no longer updatable, so this is no longer needed. |


Bumps lodash to 4.18.1 and updates ancestor dependency @microsoft/api-extractor. These dependencies need to be updated together.
Updates
lodashfrom 4.17.23 to 4.18.1Release notes
Sourced from lodash's releases.
Commits
cb0b9b9release(patch): bump main to 4.18.1 (#6177)75535f5chore: prune stale advisory refs (#6170)62e91bcdocs: remove n_ Node.js < 6 REPL note from README (#6165)59be2derelease(minor): bump to 4.18.0 (#6161)af63457fix: broken tests for _.template 879aaa91073a76fix: linting issues879aaa9fix: validate imports keys in _.templatefe8d32efix: block prototype pollution in baseUnset via constructor/prototype traversal18ba0a3refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)b819080ci: add dist sync validation workflow (#6137)Updates
@microsoft/api-extractorfrom 6.3.0 to 7.58.7Changelog
Sourced from @microsoft/api-extractor's changelog.
... (truncated)
Commits
7a6a5f3Bump versions [skip ci]d0c8fd6Update changelogs [skip ci]488875fBump versions [skip ci]9289357Update changelogs [skip ci]3793e2c[api-extractor] Fixed empty lines for removed lines (#5736)958d907chore: bump decoupled local dependencies (#5779)847353eBump versions [skip ci]2423419Update changelogs [skip ci]81eb9d9Bump versions [skip ci]aa253e3Update changelogs [skip ci]Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Low code risk but build/tooling risk:
@microsoft/api-extractoris upgraded across major versions, pulling in a new dependency tree (including a bundledtypescript5.9) and changing Node engine expectations in the lockfile, which can affect DTS bundling in CI.Overview
Upgrades dev tooling by bumping
@microsoft/api-extractorfrom^6.3.0to^7.58.7inpackage.jsonand regeneratingpackage-lock.jsonaccordingly.The lockfile update swaps out the older Rushstack/Microsoft dependency set for the v7 stack (new
@rushstack/*and@microsoft/*packages, updatedresolve/fs-extra/universalify, and removal of some previously nested/transitive packages), which may change how type rollups are produced duringbundle-dts.Reviewed by Cursor Bugbot for commit c80b8c8. Bugbot is set up for automated code reviews on this repo. Configure here.