chore(deps): consolidate dependabot updates#1463
Merged
Merged
Conversation
Consolidates Dependabot group PR #1461 (all-minor-patch, 38 pkgs) and #1455 (@types/node) into one tested branch. All frontend (npm/pnpm); no Python deps changed. Application dependencies (js/package.json): - @amplitude/unified: 1.1.16 → 1.1.21 - @codemirror/state: ^6.6.0 → ^6.7.1 - @codemirror/view: ^6.43.1 → ^6.43.6 - @mui/material: ^9.1.1 → ^9.2.0 - @mui/system: ^9.1.1 → ^9.2.0 - @next/third-parties: 16.2.9 → 16.2.10 - @sentry/nextjs: ^10.58.0 → ^10.64.0 - @sentry/react: ^10.58.0 → ^10.64.0 - @tailwindcss/postcss: ^4.3.1 → ^4.3.2 - @tanstack/react-query: 5.100.14 → 5.101.2 - @uiw/codemirror-theme-github: ^4.25.10 → ^4.25.11 - @uiw/react-codemirror: ^4.25.10 → ^4.25.11 - @xyflow/react: ^12.11.0 → ^12.11.2 - @zumer/snapdom: ^2.12.9 → ^2.15.0 - import-in-the-middle: ^3.1.0 → ^3.3.1 - next: 16.2.9 → 16.2.10 - posthog-js: ^1.390.2 → ^1.399.2 - react-icons: ^5.6.0 → ^5.7.0 Dev dependencies (js/package.json, storybook, ui devDeps): - @amplitude/analytics-core: ^2.50.0 → ^2.52.1 - @biomejs/biome: 2.5.0 → 2.5.3 - @types/node: ^25.9.3 → ^26.1.0 (#1455) - @vitejs/plugin-react: ^6.0.2 → ^6.0.3 - @vitest/coverage-v8, vitest: ^4.1.9 → ^4.1.10 - @vitest/browser-playwright: ^4.1.9 → ^4.1.10 (storybook) - @playwright/test, playwright: ^1.61.0 → ^1.61.1 (storybook) - msw: ^2.14.6 → ^2.15.0 (storybook) - baseline-browser-mapping: ^2.10.38 → ^2.10.42 - fast-check: ^4.8.0 → ^4.9.0 - globals: ^17.6.0 → ^17.7.0 - postcss: ^8.5.15 → ^8.5.16 - read-excel-file: ^9.2.0 → ^9.3.0 - tailwindcss: ^4.3.1 → ^4.3.2 - @tailwindcss/cli, @tsdown/css, tsdown, typedoc (ui devDeps) pnpm-workspace.yaml overrides bumped to unclamp the group targets (exact pins that otherwise hold the locked version): - @tanstack/react-query: 5.101.0 → 5.101.2 - @biomejs/biome: 2.5.0 → 2.5.3 - @amplitude/unified: 1.1.16 → 1.1.21 Consumer-facing @datarecce/ui `dependencies` floors intentionally left unchanged (only devDeps bumped) per js/packages/ui/DEPENDENCIES.md. biome 2.5.0 → 2.5.3 acked per the js/.husky/pre-commit guard (DRC-3460): re-verified `biome check` clean on macOS arm64 (no stack overflow) and bumped EXPECTED_BIOME to 2.5.3 in the same commit. Also fixes a Biome 2.5.3 noUnsafeOptionalChaining error surfaced in toDataDiffGrid.test.ts by the linter bump (removed redundant optional chaining inside a guarded block). ag-grid v36 (PRs #1454, #1456) deferred — see PR body. Refs: #1461, #1455 Signed-off-by: Jared Scott <jared.scott@datarecce.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates the safe, tested Dependabot updates into a single branch. All changes are frontend (npm/pnpm); no Python dependencies changed.
The two ag-grid v36 major PRs (#1454, #1456) are intentionally not included here — they require a real migration (see Deferred below) and are left open.
Dependabot-driven changes
Group PR #1461 (all-minor-patch, 38 packages) + #1455 (@types/node). Full per-package list is in the commit body; notable application deps:
@datarecce/ui contract preserved: consumer-facing
dependenciesfloors injs/packages/ui/package.jsonwere left unchanged; only its devDependencies moved (perjs/packages/ui/DEPENDENCIES.md).One follow-on code change: Biome 2.5.3 newly flags
noUnsafeOptionalChainingintoDataDiffGrid.test.ts— fixed by removing redundant optional chaining inside an already-guarded block.Audit-driven changes
None bundled — all group updates were covered by Dependabot. Remaining audit findings are advisory (see Deferred).
Security review findings
pnpm audit+ GitHub Dependabot alerts. All three are pre-existing onmainand none were introduced by this changeset:black < 26.3.1(GHSA-3936-cmfr-pm3m)dompurify <= 3.4.10via posthog-js (GHSA-cmwh-pvxp-8882)dompurifyoverride — advisory.esbuild >=0.27.3 <0.28.1via @sentry build tooling (GHSA-g7r4-m6w7-qqqr)Deferred / separate PRs recommended
suppressContentVisibilityAutoflip on ScreenshotDataGrid, ModuleRegistry/ValidationModule, human visual QA).make formatafter.Test plan
pnpm lint(Biome 2.5.3)pnpm type:checkpnpm test— 184 files, 4042 passed / 5 skippedpnpm run build— Next 16.2.10 static export OKCI=true pnpm install --frozen-lockfile— clean-room lockfile consistentflake8+black --check+isort --check+pytest tests(1554 passed / 5 skipped)pnpm/action-setupsites still pinned toversion: 11.1.1(pnpm 11.12.0 CI trap guard)🤖 Generated with Claude Code