chore(deps): aggregate second weekly batch + finalize nodemailer/astro security fixes#196
Merged
Merged
Conversation
…o fixes Consolidates the post-#190 Dependabot batch (#191, #193, #194, #195) into a single change. Lockfiles regenerated with bun@1.3.14; full static + UI + docs gates and API/UI test suites pass. apps/api: - @anthropic-ai/sdk 0.102.0 -> 0.104.1 (#194) - nodemailer 8.0.10 -> 9.0.1 (#191, security) — replaces the prior accepted-risk suppression: 9.0.1 fixes GHSA-p6gq-j5cr-w38f outright, so the osv-scanner.toml IgnoredVuln and the bun audit --ignore are removed. Excluded from the install quarantine while <7 days old. SMTP provider (createTransport) verified by the full api test suite. - eslint-plugin-unicorn 65.0.0 -> 65.0.1, prettier 3.8.3 -> 3.8.4, typescript-eslint 8.60.1 -> 8.61.0 (#193); @typescript-eslint/utils override bumped to 8.61.0 to match (package-override-parity). apps/ui: - eslint-plugin-unicorn 65.0.0 -> 65.0.1, prettier 3.8.3 -> 3.8.4, typescript-eslint 8.60.1 -> 8.61.0 (#195); @typescript-eslint/utils override bumped to 8.61.0 to match. apps/docs: - astro 6.4.4 -> 6.4.6 (#191, security) — fixes GHSA-2pvr-wf23-7pc7 and GHSA-jrpj-wcv7-9fh9, so both astro osv-scanner.toml IgnoredVulns are removed. 6.4.6 still pins @astrojs/markdown-remark 7.2.0; override matches (single copy, build verified). Excluded: ioredis 5.11.1 (#192) — bullmq 5.78.0 still exact-pins ioredis 5.10.1; taking 5.11.1 splits the tree into conflicting RedisOptions types. Held back.
agjs
added a commit
that referenced
this pull request
Jun 19, 2026
#197) Lands the ioredis 5.10.1 -> 5.11.1 bump (#192) that was deferred from #190/#196. bullmq 5.78.0 exact-pins ioredis@5.10.1, so bumping the top-level dep alone left bullmq on its own nested 5.10.1 copy — two ioredis instances with structurally incompatible RedisOptions types (tsc failed on new Redis(options)). Adds an `ioredis: 5.11.1` override in apps/api that collapses bullmq's nested copy onto the top-level version. A clean `bun install --frozen-lockfile` (the CI condition) now resolves a single ioredis@5.11.1; 5.10.1 -> 5.11.1 is a semver patch. Drop the override once bullmq advances its own ioredis pin. Verification (infra up): single ioredis copy after frozen install, api check (tsc + lint + lint:meta + knip) clean, full api suite 1188 pass / 0 fail including the Redis/BullMQ/valkey integration tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Consolidates the Dependabot batch that opened right after #190 merged (#191, #193, #194, #195) into one PR. Also finalizes the two security items #190 had to suppress — this PR fixes them outright and removes the suppressions.
Bumps
apps/api
@anthropic-ai/sdk0.102.0 → 0.104.1 (chore(deps)(deps): bump @anthropic-ai/sdk from 0.102.0 to 0.104.1 in /apps/api in the ai group across 1 directory #194)nodemailer8.0.10 → 9.0.1 (chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #191, security) — fixes GHSA-p6gq-j5cr-w38f outright. Removes the priorosv-scanner.tomlIgnoredVuln and thebun audit --ignorefrom the workflow. SMTP provider (createTransport) verified by the full api test suite (1188 pass).eslint-plugin-unicorn65.0.0 → 65.0.1,prettier3.8.3 → 3.8.4,typescript-eslint8.60.1 → 8.61.0 (chore(deps)(deps-dev): bump the lint group across 1 directory with 3 updates #193);@typescript-eslint/utilsoverride → 8.61.0 to match (package-override-parity).apps/ui
eslint-plugin-unicorn65.0.0 → 65.0.1,prettier3.8.3 → 3.8.4,typescript-eslint8.60.1 → 8.61.0 (chore(deps)(deps-dev): bump the lint group across 1 directory with 3 updates #195);@typescript-eslint/utilsoverride → 8.61.0 to match.apps/docs
astro6.4.4 → 6.4.6 (chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #191, security) — fixes GHSA-2pvr-wf23-7pc7 + GHSA-jrpj-wcv7-9fh9 outright; both astroosv-scanner.tomlIgnoredVulns removed. 6.4.6 still pins@astrojs/markdown-remark@7.2.0; override matches (single copy, build verified).Excluded
ioredis5.11.1 (chore(deps)(deps): bump ioredis from 5.10.1 to 5.11.1 in /apps/api in the bullmq group across 1 directory #192) —bullmq5.78.0 still exact-pinsioredis@5.10.1; taking 5.11.1 splits the tree into conflictingRedisOptionstypes (tscfails). Held back until bullmq advances its pin. (Same as chore(deps): aggregate weekly dependency updates (api, ui, docs, ci) #190; Dependabot keeps re-proposing it.)Net security effect
This PR reduces accepted-risk suppressions vs main: 3 removed (1 nodemailer + 2 astro), 0 added.
Verification (infra up)
bun run check✓ ·bun run test→ 1188 pass ✓bun run check✓ ·vitest --run→ 656 pass ✓bun run build:ci✓