Skip to content

chore(deps): consolidate dependabot updates#1463

Merged
kentwelcome merged 1 commit into
mainfrom
chore/dependabot-20260713-110426
Jul 13, 2026
Merged

chore(deps): consolidate dependabot updates#1463
kentwelcome merged 1 commit into
mainfrom
chore/dependabot-20260713-110426

Conversation

@gcko

@gcko gcko commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Consolidates the safe, tested Dependabot updates into a single branch. All changes are frontend (npm/pnpm); no Python dependencies changed.

The two ag-grid v36 major PRs (#1454, #1456) are intentionally not included here — they require a real migration (see Deferred below) and are left open.

Dependabot-driven changes

Group PR #1461 (all-minor-patch, 38 packages) + #1455 (@types/node). Full per-package list is in the commit body; notable application deps:

Package From To Notes
@mui/material / @mui/system ^9.1.1 ^9.2.0 minor; Vitest ESM inline fix confirmed intact
@sentry/nextjs / @sentry/react ^10.58.0 ^10.64.0 minor; static-export build unaffected by the Node OTel-provider default change
@tanstack/react-query 5.100.14 5.101.2 override unclamped 5.101.0 → 5.101.2
@xyflow/react ^12.11.0 ^12.11.2 patch
next / @next/third-parties 16.2.9 16.2.10 patch (republish of @next/swc-wasm-web)
posthog-js ^1.390.2 ^1.399.2 minor
@amplitude/unified 1.1.16 1.1.21 override unclamped; version-bump-only releases
@codemirror/state,view · @uiw/* · @zumer/snapdom · react-icons · import-in-the-middle minor/patch
@types/node (dev) ^25.9.3 ^26.1.0 #1455 — types-only, additive; satisfied by TS ^6.0.3
vite (dev) ^8.0.16 ^8.1.4 minor; monorepo resolution fixes
vitest / coverage-v8 / browser-playwright (dev) ^4.1.9 ^4.1.10 patch
@biomejs/biome (dev) 2.5.0 2.5.3 acked per js/.husky/pre-commit guard (DRC-3460); re-verified no macOS-arm64 stack overflow; EXPECTED_BIOME bumped in-commit
tailwindcss / postcss / playwright / msw / fast-check / globals / baseline-browser-mapping (dev) minor/patch

@datarecce/ui contract preserved: consumer-facing dependencies floors in js/packages/ui/package.json were left unchanged; only its devDependencies moved (per js/packages/ui/DEPENDENCIES.md).

One follow-on code change: Biome 2.5.3 newly flags noUnsafeOptionalChaining in toDataDiffGrid.test.ts — fixed by removing redundant optional chaining inside an already-guarded block.

Audit-driven changes

None bundled — all group updates were covered by Dependabot. Remaining audit findings are advisory (see Deferred).

Security review findings

pnpm audit + GitHub Dependabot alerts. All three are pre-existing on main and none were introduced by this changeset:

Advisory Severity Ecosystem Status
black < 26.3.1 (GHSA-3936-cmfr-pm3m) HIGH pip (dev tooling) Pre-existing; recommend separate security PR (see below). Not a blocker for this frontend-only change.
dompurify <= 3.4.10 via posthog-js (GHSA-cmwh-pvxp-8882) Moderate npm Pre-existing; posthog-js bump did not move the resolved 3.4.10. Fixable via a dompurify override — advisory.
esbuild >=0.27.3 <0.28.1 via @sentry build tooling (GHSA-g7r4-m6w7-qqqr) Low npm (dev) Pre-existing; dev-server-only, Windows-only. Advisory.

Deferred / separate PRs recommended

Item Current Target Reason
ag-grid-community / ag-grid-react (#1454, #1456) 35.3.1 36.0.0 Major — NEEDS-MIGRATION (v36 DOM/CSS selector rewrite, suppressContentVisibilityAuto flip on ScreenshotDataGrid, ModuleRegistry/ValidationModule, human visual QA).
typescript 6.0.3 7.0.2 Major — TS 7 (native compiler). Not a Dependabot PR; deliberate migration.
black 25.11.0 ≥26.3.1 HIGH CVE — quick security PR; note black majors can reformat, so run make format after.
dompurify (transitive) 3.4.10 ≥3.4.11 Moderate CVE — override bump.

Test plan

  • pnpm lint (Biome 2.5.3)
  • pnpm type:check
  • pnpm test — 184 files, 4042 passed / 5 skipped
  • pnpm run build — Next 16.2.10 static export OK
  • CI=true pnpm install --frozen-lockfile — clean-room lockfile consistent
  • Python flake8 + black --check + isort --check + pytest tests (1554 passed / 5 skipped)
  • All 8 pnpm/action-setup sites still pinned to version: 11.1.1 (pnpm 11.12.0 CI trap guard)

🤖 Generated with Claude Code

Consolidates Dependabot group PR #1461 (all-minor-patch, 38 pkgs) and
#1455 (@types/node) into one tested branch. All frontend (npm/pnpm);
no Python deps changed.

Application dependencies (js/package.json):
- @amplitude/unified: 1.1.16 → 1.1.21
- @codemirror/state: ^6.6.0 → ^6.7.1
- @codemirror/view: ^6.43.1 → ^6.43.6
- @mui/material: ^9.1.1 → ^9.2.0
- @mui/system: ^9.1.1 → ^9.2.0
- @next/third-parties: 16.2.9 → 16.2.10
- @sentry/nextjs: ^10.58.0 → ^10.64.0
- @sentry/react: ^10.58.0 → ^10.64.0
- @tailwindcss/postcss: ^4.3.1 → ^4.3.2
- @tanstack/react-query: 5.100.14 → 5.101.2
- @uiw/codemirror-theme-github: ^4.25.10 → ^4.25.11
- @uiw/react-codemirror: ^4.25.10 → ^4.25.11
- @xyflow/react: ^12.11.0 → ^12.11.2
- @zumer/snapdom: ^2.12.9 → ^2.15.0
- import-in-the-middle: ^3.1.0 → ^3.3.1
- next: 16.2.9 → 16.2.10
- posthog-js: ^1.390.2 → ^1.399.2
- react-icons: ^5.6.0 → ^5.7.0

Dev dependencies (js/package.json, storybook, ui devDeps):
- @amplitude/analytics-core: ^2.50.0 → ^2.52.1
- @biomejs/biome: 2.5.0 → 2.5.3
- @types/node: ^25.9.3 → ^26.1.0 (#1455)
- @vitejs/plugin-react: ^6.0.2 → ^6.0.3
- @vitest/coverage-v8, vitest: ^4.1.9 → ^4.1.10
- @vitest/browser-playwright: ^4.1.9 → ^4.1.10 (storybook)
- @playwright/test, playwright: ^1.61.0 → ^1.61.1 (storybook)
- msw: ^2.14.6 → ^2.15.0 (storybook)
- baseline-browser-mapping: ^2.10.38 → ^2.10.42
- fast-check: ^4.8.0 → ^4.9.0
- globals: ^17.6.0 → ^17.7.0
- postcss: ^8.5.15 → ^8.5.16
- read-excel-file: ^9.2.0 → ^9.3.0
- tailwindcss: ^4.3.1 → ^4.3.2
- @tailwindcss/cli, @tsdown/css, tsdown, typedoc (ui devDeps)

pnpm-workspace.yaml overrides bumped to unclamp the group targets
(exact pins that otherwise hold the locked version):
- @tanstack/react-query: 5.101.0 → 5.101.2
- @biomejs/biome: 2.5.0 → 2.5.3
- @amplitude/unified: 1.1.16 → 1.1.21

Consumer-facing @datarecce/ui `dependencies` floors intentionally left
unchanged (only devDeps bumped) per js/packages/ui/DEPENDENCIES.md.

biome 2.5.0 → 2.5.3 acked per the js/.husky/pre-commit guard (DRC-3460):
re-verified `biome check` clean on macOS arm64 (no stack overflow) and
bumped EXPECTED_BIOME to 2.5.3 in the same commit.

Also fixes a Biome 2.5.3 noUnsafeOptionalChaining error surfaced in
toDataDiffGrid.test.ts by the linter bump (removed redundant optional
chaining inside a guarded block).

ag-grid v36 (PRs #1454, #1456) deferred — see PR body.

Refs: #1461, #1455
Signed-off-by: Jared Scott <jared.scott@datarecce.io>
@gcko gcko self-assigned this Jul 13, 2026
@gcko gcko requested a review from kentwelcome July 13, 2026 04:08

@kentwelcome kentwelcome left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kentwelcome kentwelcome merged commit 31d610c into main Jul 13, 2026
7 checks passed
@kentwelcome kentwelcome deleted the chore/dependabot-20260713-110426 branch July 13, 2026 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants