Skip to content

deps: periodic dependency update #189

Merged
qw-in merged 5 commits into
mainfrom
deps/security-fixes
Jun 30, 2026
Merged

deps: periodic dependency update #189
qw-in merged 5 commits into
mainfrom
deps/security-fixes

Conversation

@qw-in

@qw-in qw-in commented Jun 30, 2026

Copy link
Copy Markdown
Member

No description provided.

qw-in and others added 5 commits June 30, 2026 22:36
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…-3m8p, GHSA-g7r4-m6w7-qqqr, GHSA-v6wh-96g9-6wx3, GHSA-fx2h-pf6j-xcff, GHSA-96hv-2xvq-fx4p

shell-quote, esbuild, launch-editor, vite, and ws are all pulled in
transitively by @nuxt/devtools.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
vite was pinned to 7.3.5, whose esbuild range (^0.27.0) excluded the
fix; bumped to 7.3.6 (esbuild range ^0.27.0 || ^0.28.0) then updated
esbuild itself.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
firebase-tools bumped 15.18.0 -> 15.22.4 (latest within major) to pick
up a json-schema-ref-parser release using js-yaml ^4, which combined
with `npm up js-yaml` resolves the second affected js-yaml instance
pulled in via firebase-functions-test's jest dependency chain.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Minor-version bumps within the 30-day cooldown window across astro,
fastify, nestjs, nextjs, nextjs-fly, nextjs-form, nuxt, react-router,
sveltekit, and tanstack-start.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>

@arcjet-review arcjet-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arcjet Review — 🟡 Medium Risk

Decision: Approved

Rationale: This PR only updates pinned dependency versions in example package.json files. The dependency-changes escalation trigger fires, but the changes are limited to well-known ecosystem packages and are mostly patch/minor updates with exact version pins. No application logic, auth, secrets, infrastructure, or database changes are present, and no security issues were identified from the diff. Approved as Medium risk because dependency updates should still be validated by CI/example builds.

Summary of Changes

Periodic dependency refresh across multiple example apps, including Astro, Fastify, Firebase Functions, NestJS, Next.js, Nuxt, React Router, SvelteKit, and TanStack Start examples.

Escalation Triggers

  • Dependency Changes: Multiple package.json files under examples/ update dependency and devDependency versions.

Review Focus Areas

Notes

No secrets, auth changes, injection-sensitive code, cryptography changes, infrastructure changes, or migrations were present in the diff. Dependency versions remain exact-pinned, which reduces accidental drift.

Path filtering: 11 files excluded by ignore paths. 11 of 22 files included in review.

Review: 8880c5d5 | Model: openai/gpt-5.5 | Powered by Arcjet Review

Comment thread examples/astro/package.json
@qw-in qw-in added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 73ccca3 Jun 30, 2026
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant