Skip to content

chore(deps): bump dependencies #1624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MichaelMilstead wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(deps): bump dependencies #1624

MichaelMilstead wants to merge 2 commits into from

Conversation

@MichaelMilstead
Copy link
Contributor

@MichaelMilstead MichaelMilstead commented Dec 24, 2025

bumps jsonwebtoken dependency to bump transitive dependency on vulnerable version of jws
runs npm update mdast-util-to-hast to bump package-lock mdast-util-to-hast version to 13.2.1 to avoid vulnerable version

@vercel
Copy link

vercel bot commented Dec 24, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
cloud Ready Ready Preview, Comment Dec 24, 2025 9:24pm
showcase Ready Ready Preview, Comment Dec 24, 2025 9:24pm
tambo-docs Ready Ready Preview, Comment Dec 24, 2025 9:24pm

charliecreates[bot]
charliecreates bot reviewed Dec 24, 2025
View reviewed changes
Copy link
Contributor

@charliecreates charliecreates bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency bumps look consistent for addressing the jws transitive vulnerability via [email protected] and updating mdast-util-to-hast. The only notable concern is a potential version drift: package-lock.json increments apps/api to 0.127.1 without a shown matching change in apps/api/package.json, which can lead to inconsistent metadata and recurring lockfile churn.

Summary of changes

Dependency updates

  • Bumped jsonwebtoken in apps/api/package.json from ^9.0.2 to ^9.0.3.
  • Updated package-lock.json accordingly:
    • apps/api version bumped from 0.127.00.127.1.
    • jsonwebtoken lock entry updated to 9.0.3, which pulls in jws ^4.0.1.
    • Hoisted/updated related packages: added/updated top-level [email protected] and [email protected] (replacing nested jsonwebtoken/node_modules/jws + jwa).
    • Bumped mdast-util-to-hast from 13.2.013.2.1 in the lockfile.

@socket-security
Copy link

socket-security bot commented Dec 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedtsx@​4.20.51001008189100
Added@​octokit/​rest@​20.1.2991008885100
Added@​actions/​core@​1.11.19910010092100

View full report

@charliecreates charliecreates bot removed the request for review from CharlieHelps December 24, 2025 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliecreates charliecreates[bot] charliecreates[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MichaelMilstead