Commit a53ed6c
fix(deps): bulk bump high-severity Dependabot deps across all ecosystems (#548)
## Summary
Addresses **110+ open high-severity Dependabot alerts** across every
ecosystem in this repo in a single PR.
### Coverage by ecosystem
**Root `yarn.lock`** (Yarn 4 resolutions): bulk-bumped via `resolutions`
block in `package.json` then `yarn install` + `yarn dedupe`.
| Package | From | To |
|---|---|---|
| `next` | 15.5.15 | 15.5.18 |
| `undici@^6` / `@6.18.2` / `@6.21.2` / `@6.23.0` | 6.23.0 | ^6.24.0 |
| `undici@^7` | 7.20.0 | ^7.24.0 |
| `axios` | 1.15.1 | ^1.15.2 |
| `tar` | 7.5.7 | ^7.5.11 |
| `multer` | 2.0.2 | ^2.1.1 |
| `minimatch@^10` / `@10.1.1` | 10.1.1 | ^10.2.3 |
| `minimatch@^9` | 9.0.5 | ^9.0.7 |
| `minimatch@^3` | 3.0.8/3.1.2 | ^3.1.4 |
| `fast-uri` | 3.0.5 | ^3.1.2 |
| `rollup@^3` | 3.29.5 | ^3.30.0 |
| `rollup@^4` | 4.57.1 | ^4.59.0 |
| `underscore` | 1.13.7 | ^1.13.8 |
| `immutable@^5` | 5.1.5 | ^5.1.5 |
| `socket.io-parser` | 4.2.4 | ^4.2.6 |
| `@xmldom/xmldom` | 0.8.12 | ^0.8.13 |
| `@babel/plugin-transform-modules-systemjs` | 7.28.5 | ^7.29.4 |
| `@angular/{core,compiler}` | 19.2.18 | ^19.2.20 |
| `@opentelemetry/sdk-node@^0.203.0` | 0.203.0 | ^0.217.0 |
| `@opentelemetry/exporter-prometheus@^0.203.0` | 0.203.0 | ^0.217.0 |
| `@opentelemetry/auto-instrumentations-node@^0.62.0` | 0.62.2 | ^0.75.0
|
| `react-server-dom-webpack` | 19.0.5 | ^19.0.6 |
| `lodash` | 4.18.0 | ^4.18.1 |
| `basic-ftp` | 5.3.0 | ^5.3.1 |
| `node-forge`, `serialize-javascript`, `picomatch@^4` | already at fix
| — |
**`e2e/react-native/package-lock.json`** (npm): added `overrides` to
`package.json`, regenerated `package-lock.json` in an isolated copy,
then patched the one residual nested `glob > minimatch` to 9.0.9 by
hand.
**`e2e/ruby/{sinatra/demo,rails/demo,rails/api-only}/Gemfile.lock`** (no
`bundle` available on devbox — hand-edited):
- `rack`: 3.1.12 → 3.1.21 / 3.2.5 → 3.2.6
- `json`: 2.18.1 → 2.19.5
- `addressable`: 2.8.7/2.8.8 → 2.9.0 (with updated `public_suffix`
constraint line)
- `net-imap`: 0.5.6 → 0.6.4 (rails locks)
- `nokogiri`: 1.18.5 → 1.19.3 (all platform variants, rails locks)
**5 `poetry.lock` files** (`e2e/python`, `e2e/python-plugin-flask`,
`e2e/tests`, `sdk/highlight-py`,
`sdk/@launchdarkly/observability-python`):
- `black`: ^24/^25/3.9.15 → ^26.3.1 (pyproject.toml bumps where needed)
- `orjson`: 3.9.15 → ^3.11.6
- `urllib3`: 2.2.2/2.6.3 → ^2.7.0
- `protobuf`: stayed 5.29.5/5.29.6 (transitive, 5.29.6 is the patched
version in 5.x line)
## Alerts NOT addressed (and why)
- **`@opentelemetry/*` in `sdk/highlight-node` (0.57.x line)**: OTel
renumbered from 0.57.x straight to 0.200.x — no patched 0.x exists for
the 0.57 branch. Fixing requires a major-version bump of all OTel
packages in `sdk/highlight-node`, out of scope here.
- **`activestorage` in `e2e/ruby/rails/*` (#540, #541)**: Gemfile pins
`rails ~> 7.1.0`; fix `7.2.3.1` requires bumping to `~> 7.2`. Out of
scope for a security patch PR — handle separately.
## Test plan
- [ ] CI green: `yarn install`, `yarn dedupe --check`, `yarn
format-check`, `yarn test`
- [ ] E2E Dockerized Apps job passes (covers Ruby, Python, React Native
lockfiles)
- [ ] Dependabot re-scans and most listed alerts auto-close within 1-2
hours of merge
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly lockfile regeneration and dependency bumps, but it updates
runtime libraries (e.g., `urllib3`, `requests`, `orjson`) which could
subtly change HTTP/serialization behavior in the Python e2e apps.
>
> **Overview**
> Regenerates the Python e2e `poetry.lock` files with Poetry `2.3.4` and
refreshes resolved dependencies.
>
> Bumps key deps including `black` to `26.3.1` (and related
`pathspec`/new `pytokens`), updates `urllib3` to `2.7.0`, and applies
minor updates like `protobuf` `5.29.6`.
>
> Updates `e2e/python/pyproject.toml` to loosen pins for `orjson` (now
`^3.11.6`), `urllib3` (now `^2.7.0`), and `black` (now `^26.3.1`).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
958d6da. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent eba2eb4 commit a53ed6c
17 files changed
Lines changed: 6251 additions & 3275 deletions
File tree
- e2e
- python-plugin-flask
- python
- react-native
- ruby
- rails
- api-only
- demo
- sinatra/demo
- tests
- sdk
- @launchdarkly/observability-python
- ldobserve/_graph/generated/public_graph_client
- highlight-py
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
| 25 | + | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
32 | | - | |
| 32 | + | |
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
| |||
0 commit comments