deps: periodic dependency update #189
Conversation
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…-3m8p, GHSA-g7r4-m6w7-qqqr, GHSA-v6wh-96g9-6wx3, GHSA-fx2h-pf6j-xcff, GHSA-96hv-2xvq-fx4p shell-quote, esbuild, launch-editor, vite, and ws are all pulled in transitively by @nuxt/devtools. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
vite was pinned to 7.3.5, whose esbuild range (^0.27.0) excluded the fix; bumped to 7.3.6 (esbuild range ^0.27.0 || ^0.28.0) then updated esbuild itself. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
firebase-tools bumped 15.18.0 -> 15.22.4 (latest within major) to pick up a json-schema-ref-parser release using js-yaml ^4, which combined with `npm up js-yaml` resolves the second affected js-yaml instance pulled in via firebase-functions-test's jest dependency chain. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Minor-version bumps within the 30-day cooldown window across astro, fastify, nestjs, nextjs, nextjs-fly, nextjs-form, nuxt, react-router, sveltekit, and tanstack-start. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Arcjet Review — 🟡 Medium Risk
Decision: Approved
Rationale: This PR only updates pinned dependency versions in example package.json files. The dependency-changes escalation trigger fires, but the changes are limited to well-known ecosystem packages and are mostly patch/minor updates with exact version pins. No application logic, auth, secrets, infrastructure, or database changes are present, and no security issues were identified from the diff. Approved as Medium risk because dependency updates should still be validated by CI/example builds.
Summary of Changes
Periodic dependency refresh across multiple example apps, including Astro, Fastify, Firebase Functions, NestJS, Next.js, Nuxt, React Router, SvelteKit, and TanStack Start examples.
Escalation Triggers
- Dependency Changes: Multiple package.json files under examples/ update dependency and devDependency versions.
Review Focus Areas
- Do the example apps still install, build, and run successfully after these dependency updates?
Even patch/minor framework updates can introduce regressions in generated output, build tooling, or runtime behavior. - Confirm the React Router 7.15.1 to 7.16.0 update does not require code or config changes.
This is a minor version bump across several related React Router packages and should be validated as a coordinated framework update. - Confirm firebase-tools 15.18.0 to 15.22.4 remains compatible with the Firebase Functions example and CI environment.
Firebase CLI updates can affect emulator behavior, deployment commands, and local test workflows.
Notes
No secrets, auth changes, injection-sensitive code, cryptography changes, infrastructure changes, or migrations were present in the diff. Dependency versions remain exact-pinned, which reduces accidental drift.
Path filtering: 11 files excluded by ignore paths. 11 of 22 files included in review.
Review: 8880c5d5 | Model: openai/gpt-5.5 | Powered by Arcjet Review
No description provided.