build(deps): bump @upstash/redis from 1.37.0 to 1.38.0#371
Merged
Conversation
Bumps [@upstash/redis](https://github.com/upstash/redis-js) from 1.37.0 to 1.38.0. - [Release notes](https://github.com/upstash/redis-js/releases) - [Commits](https://github.com/upstash/redis-js/compare/@upstash/redis@1.37.0...@upstash/redis@1.38.0) --- updated-dependencies: - dependency-name: "@upstash/redis" dependency-version: 1.38.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
julianken-bot
approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Minor bump @upstash/redis 1.37.0 → 1.38.0 with the lockfile updates that fall out of it (rollup 4.60.2 → 4.60.3, a new postcss 8.5.14 / nanoid 3.3.12 are transitive resolutions, not behavioral).
Why the auto-pipeline changelog does not regress this repo
The 1.38.0 release notes flag that mixed read/write Promise.all batches in auto-pipeline mode may now be split across multiple pipeline HTTP requests, breaking read-after-write ordering within those batches. I verified the repo's usage pattern against this:
- The only direct
@upstash/redisconsumer issrc/lib/rate-limit.ts:91-102, which constructs aRedisclient and hands it to@upstash/ratelimit'sRatelimit({ redis, ... }). The app never callsredis.pipeline(),redis.multi(), or wraps Redis commands inPromise.allitself. Search confirms zero hits forautoPipeline,pipeline(, or direct multi-command batching insrc/**. - The active limiter is
Ratelimit.slidingWindow, which inside@upstash/ratelimit@2.0.8reduces to a singlesafeEval/evalshacall (one Lua script, one HTTP request, atomic on the Upstash REST endpoint). Auto-pipeline batch splitting cannot fragment a single EVALSHA. @upstash/ratelimitdoes have a mixedPromise.allatdist/index.mjs:890between the limiter Eval andcheckDenyList, but the second branch is gated onenableProtection: true. This repo'screateRateLimiter(rate-limit.ts:96-102) does not enable protection, so the second arm is the constantPromise.resolve({ deniedValue: void 0, invalidIpDenyList: false })— no Redis call, no pipeline interaction.submitAnalytics(line 960 of the ratelimit dist) doesPromise.all([ratelimitResponse.pending, analyticsP]), but this is the fire-and-forgetpendingchannel — no caller awaits it for ordering and it never participates in the API response path.
Verification ledger
- Read PR diff: package.json + pnpm-lock.yaml only, no source changes.
- Searched for
@upstash/redisimports acrosssrc/**: 1 file (src/lib/rate-limit.ts). - Searched for
autoPipeline,pipeline(,multi(): 0 hits insrc/**. - Read
node_modules/.pnpm/@upstash+ratelimit@2.0.8.../dist/index.mjsfor the limit-path call graph — confirmed single-EVAL pattern + gatedPromise.all. - CI: ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL, E2E 1-4/4 all pass on HEAD
3a6c176. - Bot collaborator permission:
write(APPROVE will register).
No findings.
— reviewed by @julianken-bot per reviewing-as-julianken-bot rubric
Collaborator
|
@Mergifyio queue |
Contributor
Merge Queue Status
This pull request spent 7 minutes 54 seconds in the queue, including 3 minutes 32 seconds running CI. Required conditions to merge
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @upstash/redis from 1.37.0 to 1.38.0.
Release notes
Sourced from @upstash/redis's releases.
Commits
7607549chore: version packages (#1433)c71f581DX-2577: Seperate read/write commands into seperate pipelines in auto pipelin...e3a23abfix: add version sync to ci (#1430)12e9a9eDX-2555: add supply chain security settings (#1429)f59fa75fix: docs linkc88b8e5fix: rename redis search analytics demo (#1428)5d8abc1feat: add redis search into skills (#1427)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)