chore(deps): Bump the npm group with 4 updates#74
Conversation
Bumps the npm group with 4 updates: [valibot](https://github.com/open-circle/valibot), [@langfuse/client](https://github.com/langfuse/langfuse-js/tree/HEAD/packages/client), [eslint](https://github.com/eslint/eslint) and [prettier](https://github.com/prettier/prettier). Updates `valibot` from 1.4.1 to 1.4.2 - [Release notes](https://github.com/open-circle/valibot/releases) - [Commits](open-circle/valibot@v1.4.1...v1.4.2) Updates `@langfuse/client` from 5.7.0 to 5.9.0 - [Release notes](https://github.com/langfuse/langfuse-js/releases) - [Changelog](https://github.com/langfuse/langfuse-js/blob/main/CHANGELOG.md) - [Commits](https://github.com/langfuse/langfuse-js/commits/v5.9.0/packages/client) Updates `eslint` from 10.5.0 to 10.6.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v10.5.0...v10.6.0) Updates `prettier` from 3.8.4 to 3.9.1 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.8.4...3.9.1) --- updated-dependencies: - dependency-name: valibot dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@langfuse/client" dependency-version: 5.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: eslint dependency-version: 10.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: prettier dependency-version: 3.9.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM, standard Dependabot bumps (valibot patch, @langfuse/client + eslint + prettier minor).
Extended reasoning...
Overview
This is a Dependabot PR that bumps four dependencies in the npm group: valibot (1.4.1 → 1.4.2, patch), @langfuse/client (5.7.0 → 5.9.0, minor), eslint (10.5.0 → 10.6.0, minor), and prettier (3.8.4 → 3.9.1, minor). Only package.json and pnpm-lock.yaml are modified — no source code touched.
Security risks
None identified. All packages are well-known and from trusted upstream sources (open-circle, langfuse, eslint, prettier). Release notes are limited to bug fixes and small features (Object.prototype collision fixes in valibot, eslint rule improvements, prettier parser upgrades). The only production runtime dependency touched is valibot (patch-only), and @langfuse/client is scoped to devDependencies.
Level of scrutiny
Low. Config-only dependency bumps within the same major version, no API surface changes flagged in the release notes, and CI (lint/format/typecheck/test/build) will catch any incompatibilities before merge. Prettier 3.9's parser upgrade could theoretically reformat code, but that would surface as a format:check failure rather than a runtime issue.
Other factors
No bugs were surfaced by the bug hunting system, no prior reviewer comments on the PR, and the repo has established test/lint/build checks that gate merges. This is exactly the kind of small, mechanical, low-risk change appropriate for shadow approval.
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
Bumps the npm group with 4 updates: valibot, @langfuse/client, eslint and prettier.
Updates
valibotfrom 1.4.1 to 1.4.2Release notes
Sourced from valibot's releases.
Commits
0dc26eaBump library version to 1.4.21bd01c3fix: handle keys that collide with Object.prototype in flatten and merge (#1522)752c636docs: clarify string length semantics (#1505)a3beff9fix: cache word-count segmenter for non-primitive locales (#1521)1f9b183Update FUNDING.yml in fabvor of Open Collective2c63b2aUpdate logos of partners in README09616b2Add CodeRabbit as partner and remove Stainless92bcf55Add Cloudflare to privacy policy page9bb6617Add Cloudflare as a deploy target to our website (#1508)c05bf95Bump to-json-schema version to 1.7.1Updates
@langfuse/clientfrom 5.7.0 to 5.9.0Release notes
Sourced from @langfuse/client's releases.
Commits
fd0d45bchore: release v5.9.0bb96928chore: release v5.8.0Updates
eslintfrom 10.5.0 to 10.6.0Release notes
Sourced from eslint's releases.
Commits
5d12a0410.6.0f7ca54bBuild: changelog update for 10.6.06a42034ci: run ecosystem tests on main branch (#20891)b1f9106feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981)3dbacdbci: bump actions/checkout from 6 to 7 (#21014)c3abfcachore: correct JSDoc param types in html formatter (#21018)a83683ddocs: Update READMEa832320ci: split ecosystem tests into separate jobs (#21001)6b05784fix: prefer-exponentiation-operator invalid autofix at statement start (#20997)bb9eb2afix: account for shadowedBooleaninno-extra-boolean-cast(#21013)Updates
prettierfrom 3.8.4 to 3.9.1Release notes
Sourced from prettier's releases.
Changelog
Sourced from prettier's changelog.
Commits
c47654cRelease 3.9.106159aaFix bug in release script4bc5ab4Update file-entry-cache to 11.1.5 (#19483)b7fd58bRelease@prettier/plugin-oxc@0.2.0and@prettier/plugin-hermes@0.2.03006400Revert changes in release script7bef7dbGit blame ignore 3.9.0bb817b1Bump Prettier dependency to 3.9.005cf896Clean changelog_unreleased79f6cdfDisable finished steps3613b1eAdd blog post for v3.9 (#19414)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions