Skip to content

Commit a53ed6c

Browse files
Vadman97claude
andauthored
fix(deps): bulk bump high-severity Dependabot deps across all ecosystems (#548)
## Summary Addresses **110+ open high-severity Dependabot alerts** across every ecosystem in this repo in a single PR. ### Coverage by ecosystem **Root `yarn.lock`** (Yarn 4 resolutions): bulk-bumped via `resolutions` block in `package.json` then `yarn install` + `yarn dedupe`. | Package | From | To | |---|---|---| | `next` | 15.5.15 | 15.5.18 | | `undici@^6` / `@6.18.2` / `@6.21.2` / `@6.23.0` | 6.23.0 | ^6.24.0 | | `undici@^7` | 7.20.0 | ^7.24.0 | | `axios` | 1.15.1 | ^1.15.2 | | `tar` | 7.5.7 | ^7.5.11 | | `multer` | 2.0.2 | ^2.1.1 | | `minimatch@^10` / `@10.1.1` | 10.1.1 | ^10.2.3 | | `minimatch@^9` | 9.0.5 | ^9.0.7 | | `minimatch@^3` | 3.0.8/3.1.2 | ^3.1.4 | | `fast-uri` | 3.0.5 | ^3.1.2 | | `rollup@^3` | 3.29.5 | ^3.30.0 | | `rollup@^4` | 4.57.1 | ^4.59.0 | | `underscore` | 1.13.7 | ^1.13.8 | | `immutable@^5` | 5.1.5 | ^5.1.5 | | `socket.io-parser` | 4.2.4 | ^4.2.6 | | `@xmldom/xmldom` | 0.8.12 | ^0.8.13 | | `@babel/plugin-transform-modules-systemjs` | 7.28.5 | ^7.29.4 | | `@angular/{core,compiler}` | 19.2.18 | ^19.2.20 | | `@opentelemetry/sdk-node@^0.203.0` | 0.203.0 | ^0.217.0 | | `@opentelemetry/exporter-prometheus@^0.203.0` | 0.203.0 | ^0.217.0 | | `@opentelemetry/auto-instrumentations-node@^0.62.0` | 0.62.2 | ^0.75.0 | | `react-server-dom-webpack` | 19.0.5 | ^19.0.6 | | `lodash` | 4.18.0 | ^4.18.1 | | `basic-ftp` | 5.3.0 | ^5.3.1 | | `node-forge`, `serialize-javascript`, `picomatch@^4` | already at fix | — | **`e2e/react-native/package-lock.json`** (npm): added `overrides` to `package.json`, regenerated `package-lock.json` in an isolated copy, then patched the one residual nested `glob > minimatch` to 9.0.9 by hand. **`e2e/ruby/{sinatra/demo,rails/demo,rails/api-only}/Gemfile.lock`** (no `bundle` available on devbox — hand-edited): - `rack`: 3.1.12 → 3.1.21 / 3.2.5 → 3.2.6 - `json`: 2.18.1 → 2.19.5 - `addressable`: 2.8.7/2.8.8 → 2.9.0 (with updated `public_suffix` constraint line) - `net-imap`: 0.5.6 → 0.6.4 (rails locks) - `nokogiri`: 1.18.5 → 1.19.3 (all platform variants, rails locks) **5 `poetry.lock` files** (`e2e/python`, `e2e/python-plugin-flask`, `e2e/tests`, `sdk/highlight-py`, `sdk/@launchdarkly/observability-python`): - `black`: ^24/^25/3.9.15 → ^26.3.1 (pyproject.toml bumps where needed) - `orjson`: 3.9.15 → ^3.11.6 - `urllib3`: 2.2.2/2.6.3 → ^2.7.0 - `protobuf`: stayed 5.29.5/5.29.6 (transitive, 5.29.6 is the patched version in 5.x line) ## Alerts NOT addressed (and why) - **`@opentelemetry/*` in `sdk/highlight-node` (0.57.x line)**: OTel renumbered from 0.57.x straight to 0.200.x — no patched 0.x exists for the 0.57 branch. Fixing requires a major-version bump of all OTel packages in `sdk/highlight-node`, out of scope here. - **`activestorage` in `e2e/ruby/rails/*` (#540, #541)**: Gemfile pins `rails ~> 7.1.0`; fix `7.2.3.1` requires bumping to `~> 7.2`. Out of scope for a security patch PR — handle separately. ## Test plan - [ ] CI green: `yarn install`, `yarn dedupe --check`, `yarn format-check`, `yarn test` - [ ] E2E Dockerized Apps job passes (covers Ruby, Python, React Native lockfiles) - [ ] Dependabot re-scans and most listed alerts auto-close within 1-2 hours of merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly lockfile regeneration and dependency bumps, but it updates runtime libraries (e.g., `urllib3`, `requests`, `orjson`) which could subtly change HTTP/serialization behavior in the Python e2e apps. > > **Overview** > Regenerates the Python e2e `poetry.lock` files with Poetry `2.3.4` and refreshes resolved dependencies. > > Bumps key deps including `black` to `26.3.1` (and related `pathspec`/new `pytokens`), updates `urllib3` to `2.7.0`, and applies minor updates like `protobuf` `5.29.6`. > > Updates `e2e/python/pyproject.toml` to loosen pins for `orjson` (now `^3.11.6`), `urllib3` (now `^2.7.0`), and `black` (now `^26.3.1`). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 958d6da. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent eba2eb4 commit a53ed6c

17 files changed

Lines changed: 6251 additions & 3275 deletions

File tree

e2e/python-plugin-flask/poetry.lock

Lines changed: 116 additions & 50 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

e2e/python/poetry.lock

Lines changed: 386 additions & 136 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

e2e/python/pyproject.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,14 @@ loguru = "^0"
2222
openai = "^1.25.1"
2323
redis = "^5.0.4"
2424
sqlalchemy = "^2.0.29"
25-
orjson = "3.9.15"
25+
orjson = "^3.11.6"
2626
uvicorn = {extras = ["standard"], version = "^0.29.0"}
2727
highlight-io = {path = "../../sdk/highlight-py", develop = true}
28-
urllib3 = "2.2.2"
28+
urllib3 = "^2.7.0"
2929
confluent-kafka = "^2.8.2"
3030

3131
[tool.poetry.group.dev.dependencies]
32-
black = "^24.4.2"
32+
black = "^26.3.1"
3333
pytest = "^8.2.0"
3434
pytest-asyncio = "^0"
3535
pytest-cov = "^5.0.0"

0 commit comments

Comments
 (0)