fix: remediate Dependabot security alerts (2026-06-01)#2421
Closed
typeagent-bot[bot] wants to merge 1 commit into
Closed
fix: remediate Dependabot security alerts (2026-06-01)#2421typeagent-bot[bot] wants to merge 1 commit into
typeagent-bot[bot] wants to merge 1 commit into
Conversation
Automated by fix-dependabot-alerts workflow. Applied: exifreader ip-address lodash-es nodemailer qs underscore uuid vite ws xml2js Rolled back: esbuild Blocked: 0 package(s) Shell packaging: passed Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
typeagent-bot
Bot
added
dependencies
DLehenbauer
pushed a commit
to DLehenbauer/TypeAgent
that referenced
this pull request
Jun 2, 2026
…rosoft#2422) ## Problem The `Final build verification` step in `.github/workflows/fix-dependabot-alerts.yml` ran `pnpm run build`, which uses **fluid-build** incrementally. fluid-build's per-package fingerprint (and tsc's `.tsbuildinfo`) is keyed off the package's own sources plus the **declared** dep specs in `package.json` — it does **not** invalidate when a transitive dep is bumped within its existing semver range. As a result, a breaking `.d.ts` change in an upgraded dep can pass the script's verification while still failing CI's clean `build_ts` job, producing PRs that break `main` on merge. ### Concrete case: PR microsoft#2421 - `exifreader` bumped `4.30.1 → 4.40.3` (in-range under `^4.30.1`) - The new `exifreader` `TypedTag` generic gained a 2nd nullable-tuple type parameter - This broke `typechat-utils/src/image.ts:161` — `GPSLatitude`/`GPSLongitude` no longer assignable to the helper that consumes them - Script's incremental build skipped re-checking `typechat-utils` (no source change, no package.json change) → reported ✅ - CI's fresh checkout did a clean type-check → caught it on all 6 `build_ts` matrix legs ## Fix Switch the final verification to `pnpm run rebuild` (= `fluid-build . -t build --rebuild`), matching the workload CI's fresh checkout does. The per-package mid-loop incremental build (line 352) is left as-is for speed — the final rebuild is the backstop. Any package that does fail the rebuild gets recorded in the existing rollback-cooldown state so the same broken bump isn't re-proposed for 7 days. ## Follow-up Next scheduled run should clean-rebuild, fail on the exifreader change, and auto-roll-back, putting `exifreader` on the 7-day cooldown. PR microsoft#2421 should be closed. Repro run: [26750395888](https://github.com/microsoft/TypeAgent/actions/runs/26750395888) (workflow ✅) vs PR microsoft#2421's `build_ts` failures (CI ❌). --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated Dependabot Alert Remediation
This PR was automatically generated by the
fix-dependabot-alertsworkflow.Each fix was applied individually and build-verified before inclusion.
Summary
How this works
Review checklist