chore(deps-dev): bump fast-uri from 3.1.0 to 3.1.2#2515
chore(deps-dev): bump fast-uri from 3.1.0 to 3.1.2#2515dependabot[bot] wants to merge 1 commit intodevelopfrom
Conversation
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) --- updated-dependencies: - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, dev-only transitive patch bump with upstream security fixes.
Extended reasoning...
Overview
This is a Dependabot-generated PR that bumps the dev-only transitive dependency fast-uri from 3.1.0 to 3.1.2 in package-lock.json. The package is pulled in via ajv -> @anthropic-ai/sdk (a devDependency), and fast-uri is marked dev: true in the lockfile. No production code paths are affected.
Security risks
The bump itself is a patch upgrade containing two upstream security fixes (GHSA-v39h-62p7-jpjc and GHSA-q3j6-qgpj-74h6 around URI/fragment parsing). Since the package is only used at dev time (via the Anthropic SDK's JSON schema tooling) and not shipped to runtime, the downside of either applying or skipping is minimal here, but the patch is strictly improving.
Level of scrutiny
Very low. Only package-lock.json changed; no source code, build config, or production lockfile entries were touched. The diff is the standard 6-line dependabot patch (version, resolved URL, integrity hash). The repo has been routinely merging similar dependabot bumps (e.g., 196ac11 just before this).
Other factors
No bugs were flagged by the bug hunting system. There are no outstanding reviewer comments. This is exactly the kind of mechanical, low-risk dependency update that's safe to auto-approve.
|
Superseded by #2522, which forced fast-uri to 3.1.2 via pnpm overrides. The lockfile now has fast-uri@3.1.2 directly — this PR's diff would be a no-op. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
1 participant
Bumps fast-uri from 3.1.0 to 3.1.2.
Release notes
Sourced from fast-uri's releases.
Commits
919dd8eBumped v3.1.2c65ba57fixup: linting6c86c17Merge commit from forka95158aHandle malformed fragment decoding without throwing (#171)cea547cBumped v3.1.1876ce79Merge commit from forkdcdf690ci: add lock-threads workflow (#169)c860e65build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)9b4c6dcbuild(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)85d09a9build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.