build(deps): bump the payload group across 1 directory with 5 updates#129
Conversation
dependabot
Bot
added
the
dependencies
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/payload-b1c7eb99fe
branch
3 times, most recently
from
d69c2a2 to
e02810f
Compare
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/payload-b1c7eb99fe
branch
2 times, most recently
from
cbf9166 to
930c051
Compare
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Verification ledger
- Diff scope:
package.json(+5/-5 dependency-version lines) andpnpm-lock.yaml(transitive cascade). Confirmed viagh pr view 129 --json files; no other files changed. - Version coherence: all 5 direct
@payloadcms/*+payloadpackages move 3.83.0 → 3.84.1 in lockstep. Grouping matches.github/dependabot.ymlline 9-13. - Lockfile internal consistency: verified that all payload-org packages — both direct (
db-postgres,next,richtext-lexical,storage-s3,payload) and transitive (@payloadcms/drizzle,@payloadcms/graphql,@payloadcms/ui,@payloadcms/plugin-cloud-storage) — resolve to 3.84.1 with no version skew. - Release notes (3.83.0 → 3.84.0 → 3.84.1): inspected upstream release page; no breaking changes, no security advisories, no migration steps. 3.84.1 is CI-only ("retargeting create-payload-app to pull from 3.x branch"). 3.84.0 is feature additions + bug fixes, all backward-compatible.
- CI: all 11 required checks pass on this exact head SHA (
930c0516) — TypeScript, ESLint, Vitest, Next.js Build, Analyze Bundle, CodeQL Analysis, E2E Shards 1-4. Verified viagh pr checks 129. - HEAD unchanged between review fetch and post.
Findings
None.
Bottom line
Routine grouped minor bump. The dependabot grouping configuration in .github/dependabot.yml correctly captures all five packages this project consumes from the payload org, preventing the version-skew failure mode where one package lands ahead of its siblings. Approve.
— @julianken-bot (opus, fresh context)
|
@Mergifyio queue |
Merge Queue Status🛑 Queue command has been cancelled |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/payload-b1c7eb99fe
branch
from
930c051 to
c8d6f63
Compare
Bumps the payload group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@payloadcms/db-postgres](https://github.com/payloadcms/payload/tree/HEAD/packages/db-postgres) | `3.83.0` | `3.84.1` | | [@payloadcms/next](https://github.com/payloadcms/payload/tree/HEAD/packages/next) | `3.83.0` | `3.84.1` | | [@payloadcms/richtext-lexical](https://github.com/payloadcms/payload/tree/HEAD/packages/richtext-lexical) | `3.83.0` | `3.84.1` | | [@payloadcms/storage-s3](https://github.com/payloadcms/payload/tree/HEAD/packages/storage-s3) | `3.83.0` | `3.84.1` | | [payload](https://github.com/payloadcms/payload/tree/HEAD/packages/payload) | `3.83.0` | `3.84.1` | Updates `@payloadcms/db-postgres` from 3.83.0 to 3.84.1 - [Release notes](https://github.com/payloadcms/payload/releases) - [Commits](https://github.com/payloadcms/payload/commits/v3.84.1/packages/db-postgres) Updates `@payloadcms/next` from 3.83.0 to 3.84.1 - [Release notes](https://github.com/payloadcms/payload/releases) - [Commits](https://github.com/payloadcms/payload/commits/v3.84.1/packages/next) Updates `@payloadcms/richtext-lexical` from 3.83.0 to 3.84.1 - [Release notes](https://github.com/payloadcms/payload/releases) - [Commits](https://github.com/payloadcms/payload/commits/v3.84.1/packages/richtext-lexical) Updates `@payloadcms/storage-s3` from 3.83.0 to 3.84.1 - [Release notes](https://github.com/payloadcms/payload/releases) - [Commits](https://github.com/payloadcms/payload/commits/v3.84.1/packages/storage-s3) Updates `payload` from 3.83.0 to 3.84.1 - [Release notes](https://github.com/payloadcms/payload/releases) - [Commits](https://github.com/payloadcms/payload/commits/v3.84.1/packages/payload) --- updated-dependencies: - dependency-name: "@payloadcms/db-postgres" dependency-version: 3.84.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: payload - dependency-name: "@payloadcms/next" dependency-version: 3.84.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: payload - dependency-name: "@payloadcms/richtext-lexical" dependency-version: 3.84.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: payload - dependency-name: "@payloadcms/storage-s3" dependency-version: 3.84.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: payload - dependency-name: payload dependency-version: 3.84.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: payload ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/payload-b1c7eb99fe
branch
from
c8d6f63 to
ae0611a
Compare
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Verification ledger (R2) — commands I ran against the PR head SHA 767383d:
pnpm install --frozen-lockfile --prefer-offline— exit 0, lockfile + patch hash consistent (pnpm 9.15.9,Done in 7.8s)pnpm typecheck(tsc --noEmit) — exit 0, cleanpnpm test:unit(vitest run) —Test Files 37 passed (37) / Tests 584 passed (584)pnpm lint— 18 warnings, 0 errors; all ADP sub-checks OK (typecheck-sketches, validate-references, check-affiliate-links, lint-changelog)- Lockfile patch hash on PR head equals the hash on
78172fa(main at base): both arenxvyby6r4isjnouuw656h2bwdi - Cross-checked Payload v3.84.0 release notes against
rg-discovered consumer files (src/payload.config.ts, allsrc/collections/*, lexical converters): no breaking surface this codebase touches
What's actually in this PR (from real merge base fe7d830 to head 767383d, NOT the GitHub-reported 78172fa base which has drifted since the PR opened):
package.json— 5 specifier bumps,^3.83.0→^3.84.1for@payloadcms/db-postgres,@payloadcms/next,@payloadcms/richtext-lexical,@payloadcms/storage-s3,payloadpnpm-lock.yaml— corresponding regen; the fix commit replaces a hex SHA-256 patchedDependencies hash with the base32-format hash that matches main
Note on the dispatcher's "3 lines in pnpm-lock.yaml only" framing: that describes the fix-on-top diff, not the PR. The PR's full delta from real merge base is the package.json bumps plus the full lockfile regen. The .github/workflows/deploy.yml v3→v2 delta visible via git diff 78172fa..767383d is rebase-out-of-date noise from main's PR #303 landing after this PR branched — Mergify will resolve it on rebase. Not a regression in this PR.
Findings
| # | Severity | File | Note |
|---|---|---|---|
| 1 | SUGGESTION | package.json |
The lockfile regen recipe should be documented somewhere persistent so the next Dependabot patched-dep PR doesn't re-burn this debugging cycle. |
Bottom line
Minor bump with no consumer-code surface change, fix-on-top is correct and minimal (3 lines, all in the patchedDependencies hash field — old hex SHA-256 → new pnpm 9.15.x base32 format). All 11 required CI checks are SUCCESS (Build, ESLint, TypeScript, Vitest, Analyze Bundle, CodeQL Analysis, all 4 E2E shards). pnpm install --frozen-lockfile succeeded locally, the 584-test vitest suite passes, and Payload v3.84.0 → v3.84.1 release notes don't touch any API this codebase consumes. Same-tier risk: NO — implementer is Dependabot + manual pnpm install, not a model. Cleared to queue.
Reviewed by @julianken-bot (opus, fresh context). Skill: reviewing-as-julianken-bot.
| "@payloadcms/next": "^3.83.0", | ||
| "@payloadcms/richtext-lexical": "^3.83.0", | ||
| "@payloadcms/storage-s3": "^3.83.0", | ||
| "@payloadcms/db-postgres": "^3.84.1", |
There was a problem hiding this comment.
SUGGESTION — root-cause documentation, not a blocker for this PR.
The fix commit (767383d, "fix(deps): regenerate lockfile for patchedDependencies hash") is correct and minimal, but the why lives only in the commit message and out-of-band context. Future Dependabot PRs that touch a patched dependency will hit the same hash-format mismatch — when Dependabot's older pnpm regenerates the lockfile with the hex SHA-256 form, it diverges from the base32 hash main was committed with under pnpm 9.15.x.
Three options, pick the cheapest that actually persists the runbook:
- Add a section to
docs/deployment.md(orCLAUDE.mdunder "Common Tasks") titled something like "Dependabot lockfile hash mismatch (patchedDependencies)" with the one-line fix: re-runpnpm installlocally on the Dependabot branch with the project's pinned pnpm version, then push. - Configure
.github/dependabot.ymlto pin Dependabot's pnpm version to match the project's (if Dependabot supports that — last I checked it doesn't, but worth a 5-minute confirmation). - Add a CI early-fail step that surfaces the hash-format mismatch with a clear message pointing at the runbook, so future hits aren't a 20-minute "why is install failing" investigation.
Doing nothing is also defensible — the next time it happens, fixing it again is 3 minutes — but the cost of documenting now is also 3 minutes.
|
@Mergifyio queue |
Merge Queue Status
Required conditions to enter a queue
|
# Conflicts: # pnpm-lock.yaml
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Verification ledger (R2) — fresh commands run against PR head SHA 367d6e7:
pnpm install --frozen-lockfile --prefer-offline— exit 0,Done in 6.7s using pnpm v9.15.9. Patched-dep hashnxvyby6r4isjnouuw656h2bwdipreserved; no warnings.pnpm typecheck(tsc --noEmit) — exit 0, clean.pnpm test(vitest) —Test Files 37 passed (37) / Tests 584 passed (584).- CI on this exact head: all 11 required checks SUCCESS (Next.js Build, ESLint, TypeScript, Vitest, Analyze Bundle, CodeQL Analysis, E2E Shards 1-4, plus the auxiliary CodeQL run). Mergify Merge Queue is NEUTRAL (correct — waiting for an approval, not a failure).
- HEAD unchanged between fetch and post.
What's actually in this PR vs current main (65febfb):
package.json— 5 specifier bumps,^3.83.0→^3.84.1for@payloadcms/db-postgres,@payloadcms/next,@payloadcms/richtext-lexical,@payloadcms/storage-s3,payload.pnpm-lock.yaml— full reconciled regen (+412/-1082). Net -670 lines is dominated by transitive@aws-sdk/*patch-version cascade and pnpm lockfile flattening, not by dropped dependencies. Zero leftover references to@payloadcms/*@3.83.0in the new lockfile. All transitive payload-org packages (drizzle,graphql,plugin-cloud-storage,ui,translations) cleanly at 3.84.1.
Rebase hygiene: top commit is a clean merge of origin/main (parents: PR work 767383d + main 65febfb). The merge resolved the pnpm-lock.yaml conflict and reabsorbed two workflow files (deploy.yml, backfill-previews.yml) from main; no stray content leaked through. Mergify will squash on merge regardless.
Changelog review (3.83.0 → 3.84.0 → 3.84.1): 3.84.1 is CI-only. 3.84.0 is feature additions (custom collection views, email override, ecommerce currency formatting, mcp/form-builder plugin features — none of which this codebase uses) plus bug fixes. The only bug fixes touching surfaces this codebase consumes are richtext-lexical: internal links export as text in markdown transformer and storage-*: simplify key handling for signed urls — both bug fixes that improve existing behavior, no API changes.
Findings
None.
Bottom line
Routine grouped minor bump, cleanly rebased onto the post-#372/#222 main with a regenerated lockfile. No consumer-code surface changed, all checks green, local verification clean. Cleared to queue.
Reviewed by @julianken-bot (opus, fresh context). Skill: reviewing-as-julianken-bot. Same-tier risk: NO — implementer is Dependabot + manual pnpm install + manual merge resolution, not a model.
|
@Mergifyio queue |
Merge Queue Status
This pull request spent 1 minute 1 second in the queue, including 5 seconds running CI. Required conditions to merge
|
☑️ Command
|
2 participants
Bumps the payload group with 5 updates in the / directory:
3.83.03.84.13.83.03.84.13.83.03.84.13.83.03.84.13.83.03.84.1Updates
@payloadcms/db-postgresfrom 3.83.0 to 3.84.1Release notes
Sourced from @payloadcms/db-postgres's releases.
... (truncated)
Commits
ea39d8achore(release): v3.84.1 [skip ci]e08294bchore(release): v3.84.0 [skip ci]Updates
@payloadcms/nextfrom 3.83.0 to 3.84.1Release notes
Sourced from @payloadcms/next's releases.
... (truncated)
Commits
ea39d8achore(release): v3.84.1 [skip ci]e08294bchore(release): v3.84.0 [skip ci]8fe5f04feat: allow client components to also be used as custom collection views (#16...Updates
@payloadcms/richtext-lexicalfrom 3.83.0 to 3.84.1Release notes
Sourced from @payloadcms/richtext-lexical's releases.
... (truncated)
Commits
ea39d8achore(release): v3.84.1 [skip ci]e08294bchore(release): v3.84.0 [skip ci]3dc6041fix(richtext-lexical): internal links export as text in markdown...Updates
@payloadcms/storage-s3from 3.83.0 to 3.84.1Release notes
Sourced from @payloadcms/storage-s3's releases.
... (truncated)
Commits
ea39d8achore(release): v3.84.1 [skip ci]e08294bchore(release): v3.84.0 [skip ci]6139508fix(storage-*): simplify key handling for signed urls and composite prefixes ...Updates
payloadfrom 3.83.0 to 3.84.1Release notes
Sourced from payload's releases.
... (truncated)
Commits
ea39d8achore(release): v3.84.1 [skip ci]b6131f7ci: adjust 3.x branch references (#16358)e08294bchore(release): v3.84.0 [skip ci]8fe5f04feat: allow client components to also be used as custom collection views (#16...aa01a45feat(plugin-form-builder): add support for multi part uploads (#15268)c150ef8fix: handle multipart uploads without content-length (#16301)