chore: Apply dependabot upgrades from dependabotchanges (ADO #41266)#218
Open
Shreyas-Microsoft wants to merge 12 commits intodevfrom
Open
chore: Apply dependabot upgrades from dependabotchanges (ADO #41266)#218Shreyas-Microsoft wants to merge 12 commits intodevfrom
Shreyas-Microsoft wants to merge 12 commits intodevfrom
Conversation
feat: Dev merge to Main and introducing V2
ACR Standard SKU does not support OCI image indexes containing buildx attestation manifests, causing docker/build-push-action to fail with '400 Bad Request' on the manifest HEAD/PUT step. Set provenance: false on all docker/build-push-action@v6 steps in: - .github/workflows/docker-build-and-push.yml - .github/workflows/job-docker-build.yml Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ce-acr-standard fix(ci): disable buildx provenance to fix ACR Standard push (400)
Equivalent of #167. Applied as direct version bumps because the dependabot branch diverged heavily from main+dev. - actions/checkout v4 -> v6 - actions/setup-python v5 -> v6 - actions/upload-artifact v4 -> v7 - actions/stale v9 -> v10 - docker/setup-buildx-action v3 -> v4 - docker/build-push-action v6 -> v7 - codfish/semantic-release-action v3 -> v5 - amannn/action-semantic-pull-request v5 -> v6 - lycheeverse/lychee-action v2.4.1 -> v2.8.0 - tj-actions/changed-files v46 -> v47.0.5 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…for ADO #41266 Equivalent of #168. pyproject.toml versions bumped to dependabot recommendations and uv.lock regenerated via 'uv lock --upgrade'. - aiofiles 24.1.0 -> 25.1.0 - azure-ai-agents 1.2.0b3 -> 1.2.0b6 - azure-appconfiguration 1.7.1 -> 1.8.0 - azure-identity 1.25.0 -> 1.25.3 - azure-monitor-opentelemetry 1.7.0 -> 1.8.7 - azure-search-documents 11.6.0b12 -> 11.7.0b2 - azure-storage-blob 12.26.0 -> 12.28.0 - azure-storage-queue 12.13.0 -> 12.15.0 - fastapi[standard] 0.116.1 -> 0.135.3 - pydantic-settings 2.10.1 -> 2.13.1 - sas-cosmosdb 0.1.4 -> 0.1.5 - semantic-kernel[azure] 1.40.0 -> 1.41.1 - uvicorn 0.35.0 -> 0.42.0 Validation: all 13 upgraded modules import cleanly. Existing src/tests suite has pre-existing broken imports (libs/, routers/ missing in src/) on main and dev unrelated to this upgrade. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… for ADO #41266 Equivalent of #214. pyproject.toml versions bumped and uv.lock regenerated via 'uv lock --upgrade'. Applied: - aiohttp 3.13.3 -> 3.13.5 - azure-ai-projects 2.0.0b3 -> 2.1.0 - azure-appconfiguration 1.7.2 -> 1.8.0 - fastmcp 2.14.5 -> 3.2.4 (major bump, API-compatible) - mcp 1.25.0 -> 1.27.0 - openai 2.15.0 -> 2.33.0 - psutil 7.2.1 -> 7.2.2 - pytz 2025.2 -> 2026.1.post1 - sas-cosmosdb 0.1.4 -> 0.1.5 Skipped (with rationale): - azure-ai-agents 1.2.0b6: blocked by agent-framework==1.0.0b260107 which pins azure-ai-agents==1.2.0b5 (kept current pin). - azure-identity 1.25.3: current pin (1.26.0b1) is newer than dependabot target. - azure-storage-queue 12.15.0: already at target. - semantic-kernel 1.41.3: not present in processor (removed from main+dev, replaced by agent-framework). Validation: fastmcp v3 'from fastmcp import FastMCP' API still works, all 4 processor mcp_server modules import successfully under v3. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n src/frontend for ADO #41266 Equivalent of #169, partial. This commit covers ONLY the minor/patch bumps. Major version bumps (React 18->19, MSAL 4->5, vite 6->8, tailwindcss 3->4, eslint 9->10, uuid 11->13, etc.) are intentionally deferred for explicit per-package review per AC-4. Applied (minor/patch): - @fluentui/react ^8.122.9 -> ^8.125.5 - @fluentui/react-components ^9.56.7 -> ^9.73.7 - @fluentui/react-file-type-icons ^8.12.7 -> ^8.17.0 - @fluentui/react-icons ^2.0.270 -> ^2.0.323 - @reduxjs/toolkit ^2.2.7 -> ^2.11.2 - @tailwindcss/vite ^4.0.0 -> ^4.2.2 - autoprefixer ^10.4.20 -> ^10.4.27 - postcss ^8.5.0 -> ^8.5.8 - react-icons ^5.5.0 -> ^5.6.0 - react-router-dom ^7.13.1 -> ^7.13.2 - sql-formatter ^15.4.11 -> ^15.7.3 - rollup-plugin-dts ^6.1.1 -> ^6.4.1 - eslint-plugin-react ^7.37.2 -> ^7.37.5 - rollup ^4.59.0 -> ^4.60.1 Validation: 'npm install' clean, 'npm run build' clean (vite production build OK). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Applied 20 major version bumps from dependabot PR #169: - React 18 -> 19 (react, react-dom, @types/react, @types/react-dom) - @azure/msal-browser, @azure/msal-react 4 -> 5 - vite 6 -> 8 - tailwindcss 3 -> 4 (added @tailwindcss/postcss; updated postcss.config.js) - uuid 11 -> 13 - Plus other minor majors (recharts, react-router-dom, etc.) Skipped/reverted with rationale: - eslint kept at ^9.39.4 (eslint-plugin-react@7.37.5 and eslint-plugin-react-hooks@7.1.1 peer-cap at eslint ^9; no plugins compatible with eslint 10 yet) - @eslint/js kept at ^9 to match eslint - axios kept at 1.15.0 (newer than dependabot target 1.14.0) - js-yaml, lottie-react, react-markdown already at target versions Validation: npm install succeeded; npm run build succeeded (with expected fluentui peer-dep warnings around React 19; build output is clean). Refs ADO #41266 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
requested review from
Avijit-Microsoft,
Dongbumlee,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801,
nchandhi,
sethsteenken and
toherman-msft
as code owners
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Error
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Coverage Report •
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple Dependabot upgrades (GitHub Actions, Python/uv dependencies for backend-api and processor, and npm dependencies for frontend) into a single branch intended to be validated and merged.
Changes:
- Updates GitHub Actions used across CI/CD workflows (checkout/setup-python/upload-artifact/buildx/build-push/etc.).
- Refreshes Python dependency pins for
src/backend-apiandsrc/processor(includingfastmcpv2→v3 for processor) and updates thesrc/processor/uv.lock. - Updates the frontend toolchain and libraries (React 18→19, Vite 6→8, Tailwind 3→4, MSAL 4→5) and adjusts PostCSS config for Tailwind v4.
Reviewed changes
Copilot reviewed 20 out of 23 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/processor/uv.lock |
Updates the processor’s locked Python dependency graph (including fastmcp v3 and related transitive changes). |
src/processor/pyproject.toml |
Bumps pinned processor runtime dependencies to match refreshed lockfile. |
src/frontend/postcss.config.js |
Switches PostCSS Tailwind plugin to @tailwindcss/postcss for Tailwind v4. |
src/frontend/package.json |
Major/minor npm dependency upgrades across React/MSAL/Vite/Tailwind and related tooling. |
src/backend-api/pyproject.toml |
Bumps pinned backend-api Python dependencies (FastAPI, Azure SDKs, uvicorn, etc.). |
.github/workflows/validate-bicep-params.yml |
Updates GitHub Action versions used in bicep param validation. |
.github/workflows/test.yml |
Updates checkout action version. |
.github/workflows/stale-bot.yml |
Updates actions used by stale/branch cleanup automation. |
.github/workflows/pylint.yml |
Updates checkout/setup-python action versions. |
.github/workflows/pr-title-checker.yml |
Updates semantic PR title check action version. |
.github/workflows/job-docker-build.yml |
Updates Docker-related actions and disables provenance in build-push steps. |
.github/workflows/job-deploy.yml |
Updates checkout action version. |
.github/workflows/job-deploy-windows.yml |
Updates checkout action version. |
.github/workflows/job-deploy-linux.yml |
Updates checkout action version. |
.github/workflows/job-cleanup-deployment.yml |
Updates checkout action version. |
.github/workflows/docker-build-and-push.yml |
Updates Docker-related actions and disables provenance in build-push steps. |
.github/workflows/Create-Release..yml |
Updates checkout + semantic-release action versions (but currently has an event/ref mismatch). |
.github/workflows/ci.yml |
Updates checkout action version. |
.github/workflows/broken-links-checker.yml |
Updates changed-files + lychee action versions. |
.github/workflows/azure-dev.yml |
Updates checkout action version. |
.github/workflows/azd-template-validation.yml |
Updates checkout action version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
16
to
20
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| ref: ${{ github.event.workflow_run.head_sha }} | ||
|
|
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
changed the title
- Fix lottie-react double-default CJS interop in processPage and progressModal - Fix highlight.js language registration with unwrap helper for rolldown - Remove sql-formatter and sql language registration - Switch Dockerfile build stage to node:20-slim (rolldown needs Node >=20.19) - Use npm ci instead of npm install in Dockerfile - Revert react-syntax-highlighter to v15.6.1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep our dependabot package versions, take dev code changes. Reapplied lottie-react unwrap fix and kept sql-formatter removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Failure
Comment on lines
27
to
+47
| @@ -40,13 +39,12 @@ import BatchHistoryPanel from "../components/batchHistoryPanel"; | |||
| import ConfirmationDialog from "../commonComponents/ConfirmationDialog/confirmationDialogue"; | |||
| import { determineFileStatus, filesLogsBuilder, renderErrorSection, useStyles, renderFileError, filesErrorCounter, completedFiles, hasFiles, fileErrorCounter, BatchSummary, fileWarningCounter } from "../api/utils"; | |||
| export const History = bundleIcon(HistoryFilled, HistoryRegular); | |||
| import { format } from "sql-formatter"; | |||
|
|
|||
|
|
|||
| SyntaxHighlighter.registerLanguage("sql", sql) | |||
| SyntaxHighlighter.registerLanguage("yaml", yaml) | |||
| SyntaxHighlighter.registerLanguage("markdown", markdown) | |||
| SyntaxHighlighter.registerLanguage("json", json) | |||
| const unwrap = (mod: any) => (typeof mod === "function" ? mod : mod.default); | |||
| SyntaxHighlighter.registerLanguage("yaml", unwrap(yamlLang)) | |||
| SyntaxHighlighter.registerLanguage("markdown", unwrap(markdownLang)) | |||
| SyntaxHighlighter.registerLanguage("json", unwrap(jsonLang)) | |||
| "python-dotenv==1.2.2", | ||
| "python-multipart==0.0.26", | ||
| "pydantic-settings==2.13.1", | ||
| "python-dotenv", |
| }); | ||
|
|
||
| // Helper function to clean phase name - removes "PHASE X - " prefix | ||
| // Helper function to clean phase name- removes "PHASE X - " prefix |
Comment on lines
973
to
977
| backgroundColor: tokens.colorNeutralBackground1, | ||
| }} | ||
| > | ||
| {format(selectedFile.translatedCode, { language: "tsql" })} | ||
| {selectedFile.translatedCode} | ||
| </SyntaxHighlighter> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Applies all 4 open dependabot PRs (#167, #168, #169, #214) into a single validated branch, on top of a down-merge of
mainanddevintodependabotchanges.Refs ADO work item #41266.
Commits
mainintodependabotchangesdevbackend-apibumps (uv lock refreshed)processorbumps (uv lock refreshed)Validation
fastmcpv2->v3 API verified across 4mcp_servermodulesnpm install+npm run buildsucceeded (exit 0)Skipped with rationale
azure-ai-agents@1.2.0b6(processor) -agent-framework==1.0.0b260107pins b5azure-identity@1.25.3(processor) - current 1.26.0b1 is already newereslint@10+@eslint/js@10-eslint-plugin-react@7.37.5andeslint-plugin-react-hooks@7.1.1peer-cap at eslint ^9; no compatible plugins yetaxios@1.14.0- current 1.15.0 already newerjs-yaml/lottie-react/react-markdown- already at targetNotable major bumps in PR #169
@types/react,react-dom)@azure/msal-browser/@azure/msal-react4 -> 5vite6 -> 8tailwindcss3 -> 4 (added@tailwindcss/postcss, updatedpostcss.config.js)uuid11 -> 13Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information