Skip to content

chore(deps): batch update dependencies to latest#1338

Merged
yahyafakhroji merged 2 commits into
mainfrom
chore/renovate-batch-updates
Jul 10, 2026
Merged

chore(deps): batch update dependencies to latest#1338
yahyafakhroji merged 2 commits into
mainfrom
chore/renovate-batch-updates

Conversation

@yahyafakhroji

@yahyafakhroji yahyafakhroji commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Consolidates the open Renovate dependency PRs into a single branch, each verified against the actual latest version and checked for compatibility, plus a Snyk-flagged security fix. Also includes the E2E selector fix merged via #1339 (required for the suite to pass against the unified-org model).

Included updates

Update Change Renovate PR
node.js 24.16.0 → 24.18.0 #1325
cypress-vite (dev) 1.10.0 → 1.10.2 #1323
actions/checkout v6 → v7.0.0 #1326 (supersedes #1295)
actions/setup-node v4 → v6.4.0 #1327
actions/download-artifact v4 → v8.0.1 #1328
datum-cloud/actions v1.14.0 → v1.20.0 #1324
prom/prometheus (docker-compose) v3.11.3 → v3.13.0 #1277
grafana/grafana (docker-compose) 13.0.1 → 13.1.0 #1285

All GitHub Action bumps remain SHA-pinned with a # vX comment.

Security fix (Snyk)

Resolves the High-severity "Uncaught Exception" advisory in the transitive @opentelemetry/propagator-jaeger@2.8.0. It's pulled in by @opentelemetry/sdk-node (pinned to 2.8.0), so the fix is a lockstep OpenTelemetry SDK bump rather than a lone override (which would split @opentelemetry/core across 2.8/2.9):

Package Change
@opentelemetry/auto-instrumentations-node ^0.77.0 → ^0.78.0
@opentelemetry/exporter-metrics-otlp-http ^0.219.0 → ^0.220.0
@opentelemetry/exporter-trace-otlp-http ^0.219.0 → ^0.220.0
@opentelemetry/sdk-node ^0.219.0 → ^0.220.0
@opentelemetry/sdk-trace-base ^2.8.0 → ^2.9.0

propagator-jaeger now resolves to 2.9.0 (0 instances of 2.8.0 remain). The residual @opentelemetry/core@2.8.0 in the lockfile belongs to @sentry/node's own nested OTel copy (sdk-trace-base only, no propagator-jaeger) — a separate isolated tree Sentry pins internally, unrelated to this advisory.

Intentionally held back

Verification

  • bun install → lockfile updated (cypress-vite + the OpenTelemetry subtree; graphql untouched at 16.14.1)
  • bun run typecheck → PASS
  • bun run build → PASS
  • prettier --check on changed files → clean

Once merged

These Renovate PRs can be closed: #1277, #1285, #1295, #1323, #1324, #1325, #1326, #1327, #1328.

@yahyafakhroji yahyafakhroji requested a review from a team July 10, 2026 01:27
@yahyafakhroji yahyafakhroji self-assigned this Jul 10, 2026
@yahyafakhroji yahyafakhroji added the dependencies Pull requests that update a dependency file label Jul 10, 2026
yahyafakhroji added a commit that referenced this pull request Jul 10, 2026
## Problem

**E2E Smoke** has been failing intermittently across PRs (e.g. [run on
#1338](https://github.com/datum-cloud/cloud-portal/actions/runs/29062376687/job/86269152684)):

```
Service Account new page › renders the create UI (not RestrictedState) for a permitted user
  AssertionError: Timed out retrying after 10000ms:
  Expected to find element: `[data-e2e="organization-card-personal"]`, but never found it.
  at cypress/support/e2e.ts   ← the shared getPersonalOrgId command
```

The failing assertion is in the shared `getPersonalOrgId` command — the
**cascade root** that nearly every smoke/regression spec depends on — so
a single missing hook fails the whole suite.

## Root cause

The onboarding **"unified org"** work made organizations typeless.
`organization.adapter.ts` now returns an `undefined` `type` for them:

```ts
/** Legacy org types only — unified orgs omit type or send empty values. */
function normalizeOrganizationType(type: unknown): Organization['type'] | undefined {
  return type === 'Personal' || type === 'Standard' ? type : undefined;
}
```

…and the org card derives its hook from that type:

```tsx
data-e2e={ org.type ? `organization-card-${org.type.toLowerCase()}` : 'organization-card' }
```

So a typeless org renders `data-e2e="organization-card"`, never
`-personal`. The tests still waited on `organization-card-personal` and
timed out.

## Fix

This **completes a migration the team already started** —
`cypress/e2e/regression/organisations.cy.ts` and
`cypress/support/e2e.ts:737` already use the
`[data-e2e^="organization-card"]` prefix selector (as documented in the
regression spec's selector reference). It was just missed in these
spots:

- **`getPersonalOrgId`** + smoke render test → identify the personal org
by its stable `personal-org-…` **resource name** (`cy.contains` on the
id badge), independent of the removed type. This is the suite's own
invariant (`/^personal-org-[a-z0-9]+$/`).
- **`createStandardOrg`** + auth regression → wait for any card variant
via `[data-e2e^="organization-card"]`.

No app code or dependency changes — test-only.

## Scope & validation

- Local: `prettier` ✓, `eslint` ✓, `typecheck` ✓ (pre-commit gate
green).
- These specs run against the live **staging** backend with CI secrets,
so they can't be executed locally — **CI on this PR is the real
validation**. Since the failure was intermittent (the type appears to
populate asynchronously in staging), keying off the resource name rather
than the type also removes that flake source.
- Unrelated to the Renovate batch in #1338 — this pre-existing E2E drift
affects `main` and all open PRs.
Consolidates the open Renovate PRs into a single branch. graphql v17
(#1316) is intentionally excluded — @0no-co/graphql.web (urql) and
graphql-ws only peer-support graphql ^16, so v17 is held until they
add ^17.

Runtime / tooling:
- node.js 24.16.0 -> 24.18.0 (.nvmrc, .tool-versions) (#1325)
- cypress-vite 1.10.0 -> 1.10.2 (dev) (#1323)

CI actions (SHA-pinned):
- actions/checkout v6 -> v7.0.0 (#1326, supersedes digest PR #1295)
- actions/setup-node v4 -> v6.4.0 (#1327)
- actions/download-artifact v4 -> v8.0.1 (#1328)
- datum-cloud/actions v1.14.0 -> v1.20.0 (#1324)

Local observability (docker-compose):
- prom/prometheus v3.11.3 -> v3.13.0 (#1277)
- grafana/grafana 13.0.1 -> 13.1.0 (#1285)
@yahyafakhroji yahyafakhroji force-pushed the chore/renovate-batch-updates branch from a7da5c5 to 6c21dba Compare July 10, 2026 02:50
@github-actions

Copy link
Copy Markdown

🧪 Test Summary

Job Status
Bun Unit Tests ✅ success
E2E Regression (0) ⏭️ pending
E2E Regression (1) ⏭️ pending
E2E Regression (2) ⏭️ pending
E2E Regression (3) ⏭️ pending
E2E Smoke ✅ success
Unit Tests ✅ success

View workflow run

📎 Artifacts

Videos and screenshots from failed E2E tests:

  • build-ad2ec37db66382b02d778649d2cb1ef1343d92faDownload
  • bun-coverage-29065531012Download

gaghan430
gaghan430 previously approved these changes Jul 10, 2026
Fixes the Snyk High-severity "Uncaught Exception" advisory in the
transitive @opentelemetry/propagator-jaeger@2.8.0, pulled in by
@opentelemetry/sdk-node (pinned to 2.8.0). Lockstep SDK bump rather than
a lone override (which would split core across 2.8/2.9):

- @opentelemetry/auto-instrumentations-node ^0.77.0 -> ^0.78.0
- @opentelemetry/exporter-metrics-otlp-http  ^0.219.0 -> ^0.220.0
- @opentelemetry/exporter-trace-otlp-http    ^0.219.0 -> ^0.220.0
- @opentelemetry/sdk-node                     ^0.219.0 -> ^0.220.0
- @opentelemetry/sdk-trace-base               ^2.8.0   -> ^2.9.0

propagator-jaeger now resolves to 2.9.0 (0 instances of 2.8.0 remain).
The residual core@2.8.0 is @sentry/node's own nested OTel copy (no
propagator-jaeger, unrelated to this advisory). typecheck + build pass.
@github-actions

Copy link
Copy Markdown

🧪 Test Summary

Job Status
Bun Unit Tests ✅ success
E2E Regression (0) ⏭️ pending
E2E Regression (1) ⏭️ pending
E2E Regression (2) ⏭️ pending
E2E Regression (3) ⏭️ pending
E2E Smoke ✅ success
Unit Tests ✅ success

View workflow run

📎 Artifacts

Videos and screenshots from failed E2E tests:

  • build-f1d108cb3b0219dd1f6199ad511cf819bde21eabDownload
  • bun-coverage-29067888597Download

@yahyafakhroji yahyafakhroji enabled auto-merge July 10, 2026 04:29
@yahyafakhroji yahyafakhroji requested a review from a team July 10, 2026 05:20
@yahyafakhroji yahyafakhroji merged commit b54b97a into main Jul 10, 2026
20 checks passed
@yahyafakhroji yahyafakhroji deleted the chore/renovate-batch-updates branch July 10, 2026 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants