chore(deps): apply small dependabot bumps across packages and example apps#4865
Conversation
🦋 Changeset detectedLatest commit: 3117703 The changes in this PR will be included in the next version bump. This PR includes changesets to release 47 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 721fe50286
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "eslint-config-next": "16.0.10", | ||
| "lint-staged": "15.2.2", | ||
| "postcss": "8.4.38", | ||
| "postcss": "8.5.10", |
There was a problem hiding this comment.
Keep the nested lockfile in sync
For the standalone next-app-router-4001 app, this bumps postcss to 8.5.10 but leaves the app-local apps/next-app-router/next-app-router-4001/pnpm-lock.yaml importer at specifier: 8.4.38 / version: 8.4.38 (lines 89-91). Any workflow or deployment that installs this app from its own directory with its checked-in lockfile will hit an outdated-lockfile failure or resolve the old PostCSS version, so the nested lockfile needs to be regenerated along with the package manifest.
Useful? React with 👍 / 👎.
@module-federation/devtools
@module-federation/cli
create-module-federation
@module-federation/dts-plugin
@module-federation/enhanced
@module-federation/error-codes
@module-federation/esbuild
@module-federation/managers
@module-federation/manifest
@module-federation/metro
@module-federation/metro-plugin-rnc-cli
@module-federation/metro-plugin-rnef
@module-federation/metro-plugin-rock
@module-federation/modern-js
@module-federation/modern-js-v3
@module-federation/native-federation-tests
@module-federation/native-federation-typescript
@module-federation/nextjs-mf
@module-federation/node
@module-federation/observability-plugin
@module-federation/playground
@module-federation/retry-plugin
@module-federation/rsbuild-plugin
@module-federation/rspack
@module-federation/rspress-plugin
@module-federation/runtime
@module-federation/runtime-core
@module-federation/runtime-tools
@module-federation/sdk
@module-federation/storybook-addon
@module-federation/third-party-dts-extractor
@module-federation/treeshake-frontend
@module-federation/treeshake-server
@module-federation/typescript
@module-federation/utilities
@module-federation/webpack-bundler-runtime
@module-federation/bridge-react
@module-federation/bridge-react-webpack-plugin
@module-federation/bridge-shared
@module-federation/bridge-vue3
@module-federation/inject-external-runtime-core-plugin
commit: |
Bundle Size Report12 package(s) changed, 30 unchanged. Package dist + ESM entry
Bundle targets
Consumer scenarios
Total dist (raw): 35.64 MB (-725 B (-0.0%)) Bundle sizes are generated with rslib (Rspack). Package-root metrics preserve the historical report. Tracked subpath exports such as |
… for RN lint config
The Rock remote build cache fingerprint only hashed native sources, so Release builds with the embedded JS bundle were reused from cache even after JS dependency bumps (the host app kept showing lodash 4.17.23 after the bump to 4.18.1, failing the Maestro e2e assertions).
Description
Consolidates the open Dependabot PRs that each bump a dependency inside this pnpm workspace. Those PRs cannot merge individually: each one edits a sub-package
package.jsonplus a directory-scoped lockfile, so the workspace rootpnpm-lock.yamlgoes stale andcheckout-installfails withERR_PNPM_OUTDATED_LOCKFILE. Serial merging of the root-level ones also invalidates each other via lockfile conflicts. This PR applies all the bumps at once with a properly regenerated workspace lockfile.Bumps applied (all patch/minor; Next.js version bumps intentionally excluded):
packages/chrome-devtools(chore(deps): bump echarts from 6.0.0 to 6.1.0 in /packages/chrome-devtools #4857)packages/treeshake-server(chore(deps): bump hono from 4.12.25 to 4.12.26 in /packages/treeshake-server #4834) andpackages/bridge/bridge-react(chore(deps-dev): bump hono from 4.12.25 to 4.12.26 in /packages/bridge/bridge-react #4833)packages/treeshake-server(chore(deps): bump @hono/node-server from 1.19.10 to 1.19.13 in /packages/treeshake-server #4636)apps/next-app-router/next-app-router-4001(chore(deps-dev): bump postcss from 8.4.38 to 8.5.10 in /apps/next-app-router/next-app-router-4001 #4688) and 8.4.49 → 8.5.10 inpackages/treeshake-frontend(chore(deps-dev): bump postcss from 8.4.38 to 8.5.10 #4689)packages/rspress-plugin(chore(deps): bump lodash-es from 4.17.21 to 4.18.1 in /packages/rspress-plugin #4629) and root (chore(deps): bump lodash-es from 4.17.21 to 4.18.1 #4617)packages/create-module-federation(chore(deps): bump handlebars from 4.7.7 to 4.7.9 in /packages/create-module-federation #4596)packages/rsbuild-plugin(chore(deps-dev): bump vitest from 1.6.0 to 1.6.1 in /packages/rsbuild-plugin #4548)packages/third-party-dts-extractor(chore(deps): bump resolve from 1.22.8 to 1.22.12 #4613)Includes a patch changeset for the five publishable packages whose runtime deps changed.
Related Issue
Supersedes Dependabot PRs #4857, #4834, #4833, #4751, #4689, #4688, #4636, #4629, #4621, #4619, #4618, #4617, #4616, #4613, #4612, #4596, #4548.
Types of changes
Checklist
Validation
pnpm installregenerated the workspace lockfile;pnpm install --frozen-lockfile --lockfile-onlypassespnpm exec turbo run build+testfor treeshake-server, rspress-plugin, create-module-federation, bridge-react, rsbuild-plugin, third-party-dts-extractor — all green locally