Skip to content

Consolidate Dependabot npm updates#263

Merged
tortmayr merged 1 commit into
masterfrom
consolidate-dependabot-npm-2026-06
Jun 9, 2026
Merged

Consolidate Dependabot npm updates#263
tortmayr merged 1 commit into
masterfrom
consolidate-dependabot-npm-2026-06

Conversation

@tortmayr

@tortmayr tortmayr commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

What

Consolidates all currently-open Dependabot npm PRs into a single change by regenerating the five affected yarn.lock files (yarn install), rather than merging the individual Dependabot branches.

Why regenerate instead of merge

  • The previous consolidation (Consolidate Dependabot npm updates #262) was only partial: for several packages it appended orphan exact-version lock blocks (e.g. handlebars@4.7.9:, that no dependent actually requests) while leaving the real in-range entry (handlebars@^4.7.7) on the old, still-vulnerable version. The open PRs are therefore genuinely still needed.
  • The open Dependabot branches are based on a pre-Consolidate Dependabot npm updates #262 master, so merging/cherry-picking them reverts Consolidate Dependabot npm updates #262's work and corrupts the lockfiles (verified: it dropped axios@1.12.2 and deleted ~660 lines).

Regenerating moves each flagged in-range/transitive dependency to its patched (latest-in-range) version and prunes the duplicate/orphan entries left by #262 — hence the large net line reduction.

Updated packages (≥ the version Dependabot requested)

Project Updates
workflow, project-templates/* handlebars 4.7.9, yaml 2.9.0, flatted 3.4.2, diff 4.0.4 / 5.2.2, picomatch 2.3.2, multer 2.1.1, socket.io-parser 4.2.6, basic-ftp 5.3.1
node-json-theia dompurify 3.4.8, tar-fs 2.1.4, webpack 5.107.2
node-json-vscode axios 1.17.0, qs 6.15.2, ajv 6.15.0, underscore 1.13.8, serialize-javascript 6.0.2, webpack 5.107.2
java-emf-theia/glsp-client ajv 6.15.0, socket.io-parser 4.2.6
java-emf-eclipse/glsp-client webpack 5.107.2

A few packages resolved to a slightly newer in-range version than the exact one Dependabot pinned (e.g. yaml 2.9.0, basic-ftp 5.3.1, webpack 5.107.2) because newer in-range releases now exist — still within the declared semver ranges.

Verification

All five lockfiles pass yarn install --frozen-lockfile.

Supersedes #220#231 and #234#259.

@tortmayr
Consolidate Dependabot npm updates
b6e98b4 
Regenerate the affected yarn.lock files so all transitive/in-range
dependencies flagged by the open Dependabot PRs are bumped to their
patched (latest in-range) versions, and prune the duplicate/orphan
lock entries left behind by the partial consolidation in #262.

Updated packages (>= the version Dependabot requested):
- handlebars 4.7.9, yaml 2.9.0, flatted 3.4.2, diff 4.0.4/5.2.2,
  picomatch 2.3.2, multer 2.1.1, socket.io-parser 4.2.6,
  basic-ftp 5.3.1 (workflow / project-templates/*)
- dompurify 3.4.8, tar-fs 2.1.4 (node-json-theia)
- axios 1.17.0, qs 6.15.2, ajv 6.15.0, underscore 1.13.8,
  serialize-javascript 6.0.2, webpack 5.107.2 (node-json-vscode)
- ajv 6.15.0, socket.io-parser 4.2.6 (java-emf-theia)
- webpack 5.107.2 (java-emf-eclipse, node-json-theia)

Supersedes #220-#231, #234-#259. All five lockfiles verified with
`yarn install --frozen-lockfile`.
@tortmayr tortmayr merged commit d725ccd into master Jun 9, 2026
6 checks passed
@tortmayr tortmayr deleted the consolidate-dependabot-npm-2026-06 branch June 9, 2026 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tortmayr