Skip to content

Update npm_and_yarn dependencies and add CodeQL analysis workflow#14897

Closed
JaclynCodes wants to merge 9 commits into
dependabot:mainfrom
JaclynCodes:main
Closed

Update npm_and_yarn dependencies and add CodeQL analysis workflow#14897
JaclynCodes wants to merge 9 commits into
dependabot:mainfrom
JaclynCodes:main

Conversation

@JaclynCodes
Copy link
Copy Markdown

@JaclynCodes JaclynCodes commented May 3, 2026
edited
Loading

What are you trying to accomplish?

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

dependabot Bot and others added 2 commits May 2, 2026 21:46
@dependabot @JaclynCodes
Bump the npm_and_yarn group across 5 directories with 7 updates
0f403b1 
Bumps the npm_and_yarn group with 4 updates in the /bun/helpers directory: [@tootallnate/once](https://github.com/TooTallNate/once), [lodash](https://github.com/lodash/lodash), [picomatch](https://github.com/micromatch/picomatch) and [yaml](https://github.com/eemeli/yaml).
Bumps the npm_and_yarn group with 2 updates in the /npm_and_yarn/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested directory: [lodash](https://github.com/lodash/lodash) and [async](https://github.com/caolan/async).
Bumps the npm_and_yarn group with 2 updates in the /npm_and_yarn/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested directory: [lodash](https://github.com/lodash/lodash) and [es5-ext](https://github.com/medikoo/es5-ext).
Bumps the npm_and_yarn group with 2 updates in the /bun/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested directory: [lodash](https://github.com/lodash/lodash) and [es5-ext](https://github.com/medikoo/es5-ext).
Bumps the npm_and_yarn group with 3 updates in the /bun/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [lodash](https://github.com/lodash/lodash) and [async](https://github.com/caolan/async).


Removes `@tootallnate/once`

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `yaml` from 2.3.1 to 2.8.4
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.3.1...v2.8.4)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `async` from 2.6.3 to 2.6.4
- [Release notes](https://github.com/caolan/async/releases)
- [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md)
- [Commits](caolan/async@v2.6.3...v2.6.4)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `es5-ext` from 0.10.53 to 0.10.64
- [Release notes](https://github.com/medikoo/es5-ext/releases)
- [Changelog](https://github.com/medikoo/es5-ext/blob/main/CHANGELOG.md)
- [Commits](medikoo/es5-ext@v0.10.53...v0.10.64)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `es5-ext` from 0.10.53 to 0.10.64
- [Release notes](https://github.com/medikoo/es5-ext/releases)
- [Changelog](https://github.com/medikoo/es5-ext/blob/main/CHANGELOG.md)
- [Commits](medikoo/es5-ext@v0.10.53...v0.10.64)

Updates `brace-expansion` from 1.1.11 to 1.1.14
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.14)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `async` from 2.6.3 to 2.6.4
- [Release notes](https://github.com/caolan/async/releases)
- [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md)
- [Commits](caolan/async@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: "@tootallnate/once"
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 2.8.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: async
  dependency-version: 2.6.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: es5-ext
  dependency-version: 0.10.64
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: es5-ext
  dependency-version: 0.10.64
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: async
  dependency-version: 2.6.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@JaclynCodes
Add CodeQL analysis workflow configuration
a461059 
This workflow file sets up CodeQL analysis for multiple programming languages, defining triggers for pushes and pull requests to the main branch, as well as a scheduled analysis.
@JaclynCodes JaclynCodes requested a review from a team as a code owner May 3, 2026 01:55
github-advanced-security[bot]
github-advanced-security AI found potential problems May 3, 2026
View reviewed changes
Comment thread .github/workflows/codeql.yml
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
Comment thread .github/workflows/codeql.yml

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
Comment thread .github/workflows/codeql.yml
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
Comment thread .github/workflows/codeql.yml
Comment on lines +67 to +76
- name: Checkout repository
uses: actions/checkout@v4

# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1

# Initializes the CodeQL tools for scanning.
@github-advanced-security
Copy link
Copy Markdown
Contributor

github-advanced-security AI commented May 3, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@JaclynCodes @github-advanced-security
Potential fix for code scanning alert no. 5: Server-side request forgery
89d0c1e 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@JaclynCodes JaclynCodes requested a review from a team as a code owner May 4, 2026 00:11
@dependabot @JaclynCodes
Bump the uv-ecosystem group in /uv/helpers with 8 updates
4a1c5bb 
Bumps the uv-ecosystem group in /uv/helpers with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [pip](https://github.com/pypa/pip) | `24.0` | `24.3.1` |
| [pip-tools](https://github.com/jazzband/pip-tools) | `7.4.1` | `7.5.3` |
| [flake8](https://github.com/pycqa/flake8) | `7.1.0` | `7.3.0` |
| [hashin](https://github.com/peterbe/hashin) | `1.0.3` | `1.0.5` |
| [pipenv](https://github.com/pypa/pipenv) | `2024.0.2` | `2024.4.1` |
| [plette](https://github.com/sarugaku/plette) | `2.1.0` | `2.2.1` |
| [tomli](https://github.com/hukkin/tomli) | `2.0.1` | `2.4.1` |
| [cython](https://github.com/cython/cython) | `3.0.10` | `3.2.4` |


Updates `pip` from 24.0 to 24.3.1
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@24.0...24.3.1)

Updates `pip-tools` from 7.4.1 to 7.5.3
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/main/CHANGELOG.md)
- [Commits](jazzband/pip-tools@7.4.1...v7.5.3)

Updates `flake8` from 7.1.0 to 7.3.0
- [Commits](PyCQA/flake8@7.1.0...7.3.0)

Updates `hashin` from 1.0.3 to 1.0.5
- [Release notes](https://github.com/peterbe/hashin/releases)
- [Commits](peterbe/hashin@1.0.3...1.0.5)

Updates `pipenv` from 2024.0.2 to 2024.4.1
- [Release notes](https://github.com/pypa/pipenv/releases)
- [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.md)
- [Commits](pypa/pipenv@v2024.0.2...v2024.4.1)

Updates `plette` from 2.1.0 to 2.2.1
- [Release notes](https://github.com/sarugaku/plette/releases)
- [Changelog](https://github.com/sarugaku/plette/blob/master/CHANGELOG.rst)
- [Commits](sarugaku/plette@v2.1.0...v2.2.1)

Updates `tomli` from 2.0.1 to 2.4.1
- [Changelog](https://github.com/hukkin/tomli/blob/master/CHANGELOG.md)
- [Commits](hukkin/tomli@2.0.1...2.4.1)

Updates `cython` from 3.0.10 to 3.2.4
- [Release notes](https://github.com/cython/cython/releases)
- [Changelog](https://github.com/cython/cython/blob/master/CHANGES.rst)
- [Commits](cython/cython@3.0.10...3.2.4)

---
updated-dependencies:
- dependency-name: pip
  dependency-version: 24.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: pip-tools
  dependency-version: 7.5.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: flake8
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: hashin
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-ecosystem
- dependency-name: pipenv
  dependency-version: 2024.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: plette
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: tomli
  dependency-version: 2.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
- dependency-name: cython
  dependency-version: 3.2.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-ecosystem
...

Signed-off-by: dependabot[bot] <support@github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 4, 2026
View reviewed changes
Comment thread .github/workflows/static.yml
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
Comment thread .github/workflows/static.yml
- name: Checkout
uses: actions/checkout@v4
- name: Setup Pages
uses: actions/configure-pages@v5
Comment thread .github/workflows/static.yml
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
Comment thread .github/workflows/static.yml
path: '.'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5
Comment thread .github/workflows/static.yml
Comment on lines +32 to +33
- name: Checkout
uses: actions/checkout@v4
dependabot Bot added 2 commits May 4, 2026 21:33
@dependabot @JaclynCodes
Bump lodash from 4.17.23 to 4.18.1 in /npm_and_yarn/helpers
85875d5 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @JaclynCodes
Bump dotnet-sdk in /nuget/helpers/lib/NuGetUpdater
222d1e2 
Bumps [dotnet-sdk](https://github.com/dotnet/sdk) from 10.0.103 to 10.0.203.
- [Release notes](https://github.com/dotnet/sdk/releases)
- [Commits](https://github.com/dotnet/sdk/commits)

---
updated-dependencies:
- dependency-name: dotnet-sdk
  dependency-version: 10.0.203
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions github-actions Bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label May 5, 2026
@JaclynCodes JaclynCodes closed this May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

L: dotnet:dotnet-sdk L: dotnet:nuget NuGet packages via nuget or dotnet L: javascript L: python:uv

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JaclynCodes @github-advanced-security