Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): lock file maintenance #4549

Closed
wants to merge 4 commits into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 31, 2023

Mend Renovate

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: Branch creation - "every 3 months on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a preset from Sanity. View repository job log here

@vercel
Copy link

vercel bot commented May 31, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
performance-studio ✅ Ready (Inspect) Visit Preview Jun 7, 2023 6:37pm
test-studio ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 7, 2023 6:37pm
1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
studio-workshop ⬜️ Ignored (Inspect) Jun 7, 2023 6:37pm

@socket-security
Copy link

socket-security bot commented May 31, 2023

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@stipsan
Copy link
Member

stipsan commented May 31, 2023

Opened this @sanity-io/studio-dx just to debug and see why the #4546 PR was failing.

And there seems to be some deeper underlying issue happening here. Generally it should be safe to regenerate the npm/pnpm/yarn lockfile at any time on the main branch. If it's unsafe, or doing so causes the build to fail, then that typically means there's a dependency somewhere that is either:
a) using a too permissive semver range. For example, instead of ^1.2.3 it's using * or latest which can pull in a new breaking major version.
b) a dependency of a dependency, in other words it's not directly declared in the project package.json files, but it's pulled in as a dependency of other dependencies. In this case one of these dependencies have made a breaking change. This can happen even if all dependencies follow semver, and if just a single dependency isn't follow semver it's enough to break the build.

In any case, it's fixed by finding whatever dependency is faulty and pinning it to a safe version at the closest dependency we can control. If it's a dependency of @sanity/client then we should fix it there, for example.

@stipsan stipsan requested a review from a team May 31, 2023 19:00
string-width "^4.1.0"
strip-ansi "^6.0.0"
ansi-styles "^6.1.0"
string-width "^5.0.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be when the faulty dependency breaking the builds gets pulled in

Copy link
Member

@bjoerge bjoerge Jun 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do we need to do here? pin string-width til 4.x? Upgrade all dependencies that pulls in string-width so they all agree on 5.x?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably pinning it to 4.x. It seems like some dependency that ships as CJS is pulling it in as ESM in a way that is faulty/wrong. Team ecosystem have seen a lot of problems like this and we maintain a list over them for Renovatebot to skip making PRs: https://github.com/sanity-io/renovate-presets/blob/main/ecosystem/workaround-esm.json

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stipsan I'm assuming then that it's best to just open a separate PR where we do that? 🤔 What would be the next step here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RitaDias yes, this PR is too noisy

@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from 8f2b881 to dddf6ee Compare June 2, 2023 08:48
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from dddf6ee to 31ce30b Compare June 2, 2023 10:48
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from a50489c to a8763df Compare June 2, 2023 14:36
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from a8763df to 54849c6 Compare June 5, 2023 07:42
@renovate renovate bot force-pushed the renovate/lock-file-maintenance branch from 54849c6 to 8518e2d Compare June 6, 2023 11:17
@socket-security
Copy link

socket-security bot commented Jun 6, 2023

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives1 Size Publisher
@playwright/test ⬆️ 1.33.0...1.34.3 None +4/-4 20.3 MB aslushnikov
@react-three/drei ⬆️ 9.66.1...9.74.6 None +28/-24 60.2 MB gsimone
tar ⬆️ 6.1.13...6.1.15 None +0/-0 164 kB isaacs
semver ⬆️ 7.5.0...7.5.1 None +0/-0 91.4 kB npm-cli-ops
@sanity/pkg-utils ⬆️ 2.2.14...2.3.1 None +77/-48 55 MB sanity-io
@types/node ⬆️ 14.18.43...14.18.48 None +0/-0 1.58 MB types
@types/debug ⬆️ 4.1.7...4.1.8 None +0/-0 7.67 kB types
module-alias ⬆️ 2.2.2...2.2.3 None +0/-0 16.3 kB ilearnio
react-fast-compare ⬆️ 3.2.1...3.2.2 None +0/-0 16.2 kB formidablelabs
@types/tar ⬆️ 6.1.4...6.1.5 None +2/-2 3.19 MB types
eslint ⬆️ 8.39.0...8.42.0 None +6/-5 4.53 MB eslintbot
@babel/preset-react ⬆️ 7.18.6...7.22.3 None +1/-5 97.8 kB nicolo-ribaudo
@types/react-dom ⬆️ 18.2.1...18.2.4 None +2/-2 751 kB types
@lezer/highlight ⬆️ 1.1.4...1.1.6 None +2/-2 430 kB marijn
get-it ⬆️ 8.1.2...8.1.3 None +0/-0 507 kB sanity-io
@babel/preset-env ⬆️ 7.21.5...7.22.4 None +36/-26 2.35 MB nicolo-ribaudo
@rollup/plugin-node-resolve ⬆️ 15.0.2...15.1.0 None +2/-2 148 kB shellscape
@codemirror/commands ⬆️ 6.2.3...6.2.4 None +14/-14 4.24 MB marijn
playwright ⬆️ 1.33.0...1.34.3 None +3/-3 21.5 MB aslushnikov
@types/babel__traverse ⬆️ 7.18.5...7.20.1 None +0/-0 84.8 kB types
@codemirror/search ⬆️ 6.4.0...6.5.0 None +8/-8 2.88 MB marijn
@codemirror/language ⬆️ 6.6.0...6.7.0 None +12/-12 3.81 MB marijn
@codemirror/lang-javascript ⬆️ 6.1.7...6.1.9 None +20/-20 4.68 MB marijn
hashids ⬆️ 2.2.11...2.3.0 None +0/-0 137 kB niieani
@codemirror/autocomplete ⬆️ 6.6.0...6.7.1 None +14/-14 4.26 MB marijn
@types/lodash ⬆️ 4.14.194...4.14.195 None +0/-0 863 kB types
dotenv ⬆️ 16.0.3...16.1.4 environment +0/-0 67.6 kB motdotla
@sanity/client ⬆️ 6.1.1...6.1.2 None +9/-18 6.06 MB sanity-io
framer-motion ⬆️ 10.12.10...10.12.16 None +0/-1 2.05 MB popmotion
@types/react ⬆️ 18.2.0...18.2.8 None +0/-0 360 kB types
@uiw/react-codemirror ⬆️ 4.19.16...4.21.2 None +28/-28 6.62 MB wcjiang
three-stdlib ⬆️ 2.21.10...2.23.8 None +4/-2 6.78 MB tdfka_rick
typedoc ⬆️ 0.24.6...0.24.8 None +2/-2 2.08 MB typedoc-bot
@typescript-eslint/parser ⬆️ 5.59.2...5.59.9 None +12/-11 6.02 MB jameshenry
@typescript-eslint/eslint-plugin ⬆️ 5.59.2...5.59.9 None +17/-16 9.08 MB jameshenry
@codemirror/view ⬆️ 6.10.1...6.13.0 None +4/-4 1.74 MB marijn

Footnotes

  1. https://docs.socket.dev

@renovate
Copy link
Contributor Author

renovate bot commented Jun 7, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants