chore(deps): bump axios and assorted transitive deps in pnpm-lock.yaml#2499
Merged
chore(deps): bump axios and assorted transitive deps in pnpm-lock.yaml#2499
Conversation
Resolves Dependabot alerts that could be fixed via lockfile-only update: axios, and partial bumps for js-yaml/lodash/yaml. The apify-docs-theme axios range was widened from ^1.7.9 to ^1.16.0 to pick up the patch. Remaining alerts (uuid, dompurify, fast-xml-parser, postcss, protobufjs, serialize-javascript, and the older lodash/js-yaml/yaml entries) require either a major bump or pnpm overrides to force transitive updates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
the
t-tooling
Migrate the existing root `overrides` block to `pnpm.overrides` (which pnpm honors more uniformly across the dependency graph) and extend it to cover all remaining Dependabot alerts in the lockfile: - protobufjs ^7.5.5 (critical CVE) - dompurify ^3.4.0 - fast-xml-parser ^5.7.0 - uuid@>=11.0.0 ^11.1.1 (leaves the unrelated 8.3.2 entry alone) - js-yaml@>=4.0.0 ^4.1.1 (matches the previous narrow override target) - lodash ^4.17.23 (replaces the prior ^4.18.0 with a wider range) After install: protobufjs 7.5.6, dompurify 3.4.2, fast-xml-parser 5.7.3, uuid 11.1.1, js-yaml 4.1.1 (4.x line), lodash 4.17.23 + 4.18.1, postcss 8.5.14, yaml 1.10.3 — no remaining vulnerable versions in pnpm-lock.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The wider override block let pnpm float ajv to 8.20.0, which crashes @stoplight/spectral-functions with "SyntaxError: Unexpected token ':'" during schema compile under Node 24. Pinning ajv@8.x to the previously working 8.18.0 keeps `pnpm openapi:lint:spectral` green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pnpm 10 reads workspace-level config (including overrides) from pnpm-workspace.yaml, not package.json. The previous commit put them under package.json#pnpm.overrides; this moves them to the canonical location. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
barjin
approved these changes
May 6, 2026
Member
barjin
left a comment
barjin
left a comment
There was a problem hiding this comment.
A quick question, but not blocking (it seems it has been like this before as well). Thanks!
Comment on lines
+16
to
+18
| uuid@>=11.0.0: ^11.1.1 | ||
| js-yaml@>=4.0.0: ^4.1.1 | ||
| ajv@>=8.0.0 <9.0.0: 8.18.0 |
Member
There was a problem hiding this comment.
If something requires a new major version of uuid or js-yaml, will this force it back on uuid@11 and js-yaml@4? Shouldn't we use the pattern from ajv here, instead?
Member
Author
There was a problem hiding this comment.
Good catch — bounded both ranges to the current major in 57a27c0 (mirroring the ajv pattern), so a future uuid@12 / js-yaml@5 won't get silently pinned back.
Per review feedback, mirror the bounded pattern used for ajv so a future major bump (uuid@12, js-yaml@5) isn't silently forced back to the current major. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous commit changed override keys in pnpm-workspace.yaml but forgot to stage the resulting lockfile metadata update, which broke `pnpm install --frozen-lockfile` in CI with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all open Dependabot alerts in
pnpm-lock.yamlvia lockfile-only updates plus an extendedpnpm.overridesblock.Direct + workspace-range bumps
Overrides reorganized
overridestopnpm.overrides(pnpm honors it more uniformly across the dep graph) and extended with the remaining vulnerable transitives:^7.5.5(closes #216 — critical)^3.4.0(closes Update the Updates and Versioning of SDK article #215, Write an article about Server Migrations #217–Docs & API ref: Add information about passing token using HTTP header #219)^5.7.0(closes Edit and add the Paid actors docs to Help/Docs #220)^11.1.1(closes Update Apify Client in Storage docs #236; leaves the unrelated 8.3.2 entry alone)^4.1.1(closes Re-add removed changes #208)^4.17.23— replaces prior^4.18.0with a wider range that still satisfies the patched-version requirement (closes Small fixes in Schedules API docs #209, Update key-val docs #213, Remove broken Page Analyzer link from Web Scraping Techniques #214)^8.5.10— already present, now actually applied uniformly via pnpm.overrides (closes Add the paid actors article #222)^1.10.3— already present (closes Improve docs based on feedback #211)Resolved versions in lockfile after install
protobufjs 7.5.6 · dompurify 3.4.2 · fast-xml-parser 5.7.3 · uuid 11.1.1 · js-yaml 4.1.1 · lodash 4.17.23 + 4.18.1 · postcss 8.5.14 · yaml 1.10.3 · axios 1.16.0
No vulnerable versions remain.
Out of scope
not_used(rspack pipeline doesn't pull the webpack/terser path that loads it).🤖 Generated with Claude Code