Skip to content

fix: upgrade outdated dependency overrides and direct deps#7376

Open
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz/audit-dependencies
Open

fix: upgrade outdated dependency overrides and direct deps#7376
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz/audit-dependencies

Conversation

@waldekmastykarz
Copy link
Copy Markdown
Member

@waldekmastykarz waldekmastykarz commented May 29, 2026
edited
Loading

Summary

Upgrades all outdated npm dependency overrides and direct dependencies that have passed the 7-day cooldown period.

Overrides updated

Package Old New Parent Breaking?
fast-xml-parser 5.7.0 5.8.0 adaptive-expressions No
lodash 4.18.0 4.18.1 adaptive-expressions No
@xmldom/xmldom ^0.8.13 ^0.9.10 adaptive-expressions No
uuid 11.1.1 14.0.0 adaptive-expressions, applicationinsights ⚠️ Major
diff 8.0.4 9.0.0 mocha ⚠️ Major
jws 3.2.3 4.0.1 jsonwebtoken ⚠️ Major
protobufjs 7.6.0 8.4.2 @grpc/proto-loader, @opentelemetry/otlp-transformer, top-level ⚠️ Major
@opentelemetry/sdk-node 0.217.0 0.218.0 @azure/monitor-opentelemetry No
@opentelemetry/exporter-prometheus 0.217.0 0.218.0 @azure/monitor-opentelemetry No

Direct dependencies updated

Package Old New Breaking?
uuid ^13.0.1 ^14.0.0 ⚠️ Major

Skipped

  • typescript 6.0.3: breaks the build (20k+ type errors from moduleResolution=node10 deprecation becoming a hard error)
  • swiper 12.2.0: in 7-day cooldown (eligible 2026-06-03)
  • serialize-javascript, follow-redirects: already at latest

Verification

  • npm audit: 0 vulnerabilities
  • ✅ Build passes (clean, no warnings)
  • ✅ Lint passes
  • ✅ All tests pass

@waldekmastykarz waldekmastykarz marked this pull request as draft May 29, 2026 09:37
@waldekmastykarz
fix: upgrade outdated dependency overrides and direct deps
cadbf5c 
Overrides updated:
- fast-xml-parser: 5.7.0 → 5.8.0 (adaptive-expressions)
- lodash: 4.18.0 → 4.18.1 (adaptive-expressions)
- @xmldom/xmldom: ^0.8.13 → ^0.9.10 (adaptive-expressions)
- uuid: 11.1.1 → 14.0.0 (adaptive-expressions, applicationinsights)
- diff: 8.0.4 → 9.0.0 (mocha)
- jws: 3.2.3 → 4.0.1 (jsonwebtoken)
- protobufjs: 7.6.0 → 8.4.2 (all contexts)
- @opentelemetry/sdk-node: 0.217.0 → 0.218.0
- @opentelemetry/exporter-prometheus: 0.217.0 → 0.218.0

Direct dependencies updated:
- uuid: ^13.0.1 → ^14.0.0

TypeScript kept at ^5.9.3 (v6 introduces too many breaking changes).

Also updates the patch-vulnerabilities skill to cover outdated
direct deps and overrides in addition to security vulnerabilities.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@waldekmastykarz waldekmastykarz force-pushed the waldekmastykarz/audit-dependencies branch from 4e66019 to cadbf5c Compare May 29, 2026 09:39
@waldekmastykarz waldekmastykarz marked this pull request as ready for review May 29, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waldekmastykarz