gfds#9274
Closed
FuzzysTodd wants to merge 6 commits into
Closed
Conversation
…pdates Bumps the npm_and_yarn group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [tsup](https://github.com/egoist/tsup) | `8.0.2` | `8.3.5` | | [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) | `7.23.9` | `7.26.10` | | [base-x](https://github.com/cryptocoinjs/base-x) | `3.0.9` | `3.0.11` | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | | [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` | | [form-data](https://github.com/form-data/form-data) | `3.0.1` | `3.0.4` | | [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` | | [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `1.8.0` | `1.9.0` | | [pbkdf2](https://github.com/browserify/pbkdf2) | `3.1.2` | `3.1.5` | | [ses](https://github.com/endojs/endo/tree/HEAD/packages/ses) | `1.1.0` | `1.14.0` | | [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` | Updates `tsup` from 8.0.2 to 8.3.5 - [Release notes](https://github.com/egoist/tsup/releases) - [Commits](egoist/tsup@v8.0.2...v8.3.5) Updates `@babel/runtime` from 7.23.9 to 7.26.10 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-runtime) Updates `base-x` from 3.0.9 to 3.0.11 - [Commits](cryptocoinjs/base-x@v3.0.9...v3.0.11) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `cipher-base` from 1.0.4 to 1.0.7 - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.7) Updates `esbuild` from 0.19.12 to 0.27.0 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md) - [Commits](evanw/esbuild@v0.19.12...v0.27.0) Updates `form-data` from 3.0.1 to 3.0.4 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v3.0.1...v3.0.4) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) Updates `path-to-regexp` from 1.8.0 to 1.9.0 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v1.8.0...v1.9.0) Updates `pbkdf2` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.5) Updates `rollup` from 4.12.0 to 4.53.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.12.0...v4.53.2) Updates `ses` from 1.1.0 to 1.14.0 - [Release notes](https://github.com/endojs/endo/releases) - [Changelog](https://github.com/endojs/endo/blob/master/packages/ses/CHANGELOG.md) - [Commits](https://github.com/endojs/endo/commits/ses@1.14.0/packages/ses) Updates `sha.js` from 2.4.11 to 2.4.12 - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) --- updated-dependencies: - dependency-name: tsup dependency-version: 8.3.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@babel/runtime" dependency-version: 7.26.10 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: base-x dependency-version: 3.0.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cipher-base dependency-version: 1.0.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.27.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 3.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 1.9.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: pbkdf2 dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.53.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ses dependency-version: 1.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…_yarn-89d6af22f7 chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "@metamask/gas-fee-controller": ^13.0.0 | ||
| "@metamask/network-controller": ^17.2.0 | ||
| languageName: unknown | ||
| linkType: soft |
There was a problem hiding this comment.
Stale duplicate workspace lock entry
High Severity
A second @metamask/transaction-controller workspace stanza was inserted with outdated dependency versions, while another workspace entry for the same package still exists later in the lockfile with current versions.
Reviewed by Cursor Bugbot for commit 2f927e3. Configure here.
| "@babel/runtime": "^6.26.10", | ||
| "@metamask/approval-controller": "^5.1.2", | ||
| "@metamask/gas-fee-controller": "^13.0.0", | ||
| "@metamask/network-controller": "^17.2.0" |
There was a problem hiding this comment.
Stale peer versions vs dependencies
Medium Severity
New peerDependencies pin @metamask/approval-controller, @metamask/gas-fee-controller, and @metamask/network-controller to much older majors than the same package’s dependencies block, which declares current controller versions.
Reviewed by Cursor Bugbot for commit 2f927e3. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
References
Checklist
Note
Medium Risk
Duplicate
package.jsondependency keys and a very large, partially interleavedyarn.lockdiff can break installs or pull unintended versions; no runtime logic changes, but merge hygiene is poor.Overview
Adds a new root SECURITY.md with the default GitHub security-policy template (supported version table and placeholder vulnerability reporting section).
packages/transaction-controller/package.jsongains extra devDependency and peerDependency entries (@babel/runtime,@metamask/auto-changelog, and MetaMask controller peers) without removing the existing lines, so the file now lists duplicate keys for those fields.yarn.lockis heavily updated with new resolution blocks (e.g.@babel/runtime,esbuild0.27,rollup4.53,tsup, and a workspace snapshot for@metamask/transaction-controllerwith older dependency versions), alongside large removals and reordered entries elsewhere in the lockfile.Reviewed by Cursor Bugbot for commit 52b3700. Bugbot is set up for automated code reviews on this repo. Configure here.