-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): lock file maintenance #4549
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Ignored Deployment
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
Opened this @sanity-io/studio-dx just to debug and see why the #4546 PR was failing. And there seems to be some deeper underlying issue happening here. Generally it should be safe to regenerate the npm/pnpm/yarn lockfile at any time on the main branch. If it's unsafe, or doing so causes the build to fail, then that typically means there's a dependency somewhere that is either: In any case, it's fixed by finding whatever dependency is faulty and pinning it to a safe version at the closest dependency we can control. If it's a dependency of |
string-width "^4.1.0" | ||
strip-ansi "^6.0.0" | ||
ansi-styles "^6.1.0" | ||
string-width "^5.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be when the faulty dependency breaking the builds gets pulled in
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do we need to do here? pin string-width til 4.x? Upgrade all dependencies that pulls in string-width
so they all agree on 5.x?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably pinning it to 4.x. It seems like some dependency that ships as CJS is pulling it in as ESM in a way that is faulty/wrong. Team ecosystem have seen a lot of problems like this and we maintain a list over them for Renovatebot to skip making PRs: https://github.com/sanity-io/renovate-presets/blob/main/ecosystem/workaround-esm.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stipsan I'm assuming then that it's best to just open a separate PR where we do that? 🤔 What would be the next step here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RitaDias yes, this PR is too noisy
8f2b881
to
dddf6ee
Compare
dddf6ee
to
31ce30b
Compare
a50489c
to
a8763df
Compare
a8763df
to
54849c6
Compare
54849c6
to
8518e2d
Compare
5fd9b3b
to
e66808d
Compare
e66808d
to
a1e757a
Compare
1bb1e9b
to
5cfb385
Compare
5cfb385
to
ec3239b
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
This PR contains the following updates:
🔧 This Pull Request updates lock files to use the latest dependency versions.
Configuration
📅 Schedule: Branch creation - "every 3 months on the first day of the month" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate using a preset from . View repository job log here