Skip to content

chore(deps): consolidate dependabot updates#1373

Merged
kentwelcome merged 2 commits into
mainfrom
chore/dependabot-20260513-134716
May 13, 2026
Merged

chore(deps): consolidate dependabot updates#1373
kentwelcome merged 2 commits into
mainfrom
chore/dependabot-20260513-134716

Conversation

@gcko
Copy link
Copy Markdown
Contributor

@gcko gcko commented May 13, 2026

Summary

Consolidates 6 of the 7 open Dependabot PRs into a single tested branch.

Closes #1372
Closes #1369
Closes #1368
Closes #1365
Closes #1363
Closes #1362

#1340 (@vitejs/plugin-react 5 → 6) is not closed and should remain open: the major bump requires Vite 8, and our pnpm.overrides pin Vite at >=7.3.2 <8.0.0. Re-evaluate alongside a Vite 8 migration.

Updates

Python (uv.lock)

Package From To Source PR
gitpython 3.1.47 3.1.50 #1365
python-multipart 0.0.26 0.0.28 #1362
urllib3 2.6.3 2.7.0 #1368

npm (root js/)

Bumped via pnpm.overrides and direct deps so caret floors stay aligned with the resolved versions.

Package From To
@amplitude/unified 1.0.20 1.1.5
@amplitude/analytics-core ^2.47.1 ^2.48.1
@biomejs/biome 2.4.13 2.4.15
@codemirror/view ^6.41.0 ^6.42.1
@mui/material ^9.0.0 ^9.0.1
@mui/system ^9.0.0 ^9.0.1
@next/third-parties 16.2.4 16.2.6
@sentry/nextjs ^10.50.0 ^10.53.1
@sentry/react ^10.50.0 ^10.53.1
@tailwindcss/postcss ^4.2.4 ^4.3.0
@tanstack/react-query 5.100.1 5.100.10
@types/node ^25.6.0 ^25.7.0
@vitest/coverage-v8 ^4.1.5 ^4.1.6
baseline-browser-mapping ^2.10.21 ^2.10.29
fast-check ^4.6.0 ^4.8.0
globals ^17.5.0 ^17.6.0
next 16.2.4 16.2.6
postcss ^8.5.9 ^8.5.14
react 19.2.5 19.2.6
react-dom 19.2.5 19.2.6
read-excel-file ^9.0.6 ^9.0.9
tailwindcss ^4.2.4 ^4.3.0
vitest ^4.1.5 ^4.1.6
write-excel-file ^4.0.2 ^4.0.6
yaml ^2.8.3 ^2.9.0

npm (packages/storybook/)

Package From To
@playwright/test ^1.59.1 ^1.60.0
@storybook/addon-docs ^10.3.4 ^10.3.6
@storybook/addon-vitest ^10.3.4 ^10.3.6
@storybook/react ^10.3.4 ^10.3.6
@storybook/react-vite ^10.3.4 ^10.3.6
@vitest/browser-playwright ^4.1.5 ^4.1.6
msw ^2.13.5 ^2.14.6
playwright ^1.59.1 ^1.60.0
storybook ^10.3.4 ^10.3.6

packages/ui/package.json floors intentionally left unchanged (consumer floor policy).

Extra: .gitignore

Adds **/docs/investigations/ to match the existing pattern for docs/plans/, docs/tasks/, docs/summaries/, docs/superpowers/.

Test Plan

  • pnpm audit --prod → no known vulnerabilities
  • pnpm audit (full) → no known vulnerabilities
  • python3 -m pytest tests → 1206 passed
  • pnpm lint → clean
  • pnpm type:check → clean
  • pnpm test → 3708 passed (5 skipped)
  • pnpm run build → static export OK

Security Review

No high-confidence vulnerabilities identified by the dependency diff. Source files untouched; no migrations or codemods. Pre-existing pip/setuptools/wheel/uv advisories from pip-audit are bootstrap-tooling and unaffected by this PR.

gcko and others added 2 commits May 13, 2026 13:39
@gcko @claude
chore: gitignore docs/investigations directory
90e5f5c 
Matches existing pattern for plans/tasks/summaries/superpowers.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Jared Scott <jared.scott@datarecce.io>
@gcko @claude
chore(deps): consolidate dependabot updates
4eacd04 
Python (uv):
- gitpython 3.1.47 -> 3.1.50
- python-multipart 0.0.26 -> 0.0.28
- urllib3 2.6.3 -> 2.7.0

npm (root js/):
- @amplitude/unified 1.0.20 -> 1.1.5
- @amplitude/analytics-core ^2.47.1 -> ^2.48.1
- @biomejs/biome 2.4.13 -> 2.4.15
- @codemirror/view ^6.41.0 -> ^6.42.1
- @mui/material ^9.0.0 -> ^9.0.1
- @mui/system ^9.0.0 -> ^9.0.1
- @next/third-parties 16.2.4 -> 16.2.6
- @sentry/nextjs ^10.50.0 -> ^10.53.1
- @sentry/react ^10.50.0 -> ^10.53.1
- @tailwindcss/postcss ^4.2.4 -> ^4.3.0
- @tanstack/react-query 5.100.1 -> 5.100.10
- @types/node ^25.6.0 -> ^25.7.0
- @vitest/coverage-v8 ^4.1.5 -> ^4.1.6
- baseline-browser-mapping ^2.10.21 -> ^2.10.29
- fast-check ^4.6.0 -> ^4.8.0
- globals ^17.5.0 -> ^17.6.0
- next 16.2.4 -> 16.2.6
- postcss ^8.5.9 -> ^8.5.14
- react 19.2.5 -> 19.2.6
- react-dom 19.2.5 -> 19.2.6
- read-excel-file ^9.0.6 -> ^9.0.9
- tailwindcss ^4.2.4 -> ^4.3.0
- vitest ^4.1.5 -> ^4.1.6
- write-excel-file ^4.0.2 -> ^4.0.6
- yaml ^2.8.3 -> ^2.9.0

npm (storybook workspace):
- @playwright/test ^1.59.1 -> ^1.60.0
- @storybook/* ^10.3.4 -> ^10.3.6
- @vitest/browser-playwright ^4.1.5 -> ^4.1.6
- msw ^2.13.5 -> ^2.14.6
- playwright ^1.59.1 -> ^1.60.0
- storybook ^10.3.4 -> ^10.3.6

Deferred:
- @vitejs/plugin-react 6.0 (requires vite 8; our vite override caps at <8.0.0)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Jared Scott <jared.scott@datarecce.io>
@gcko gcko requested review from Copilot and kentwelcome and removed request for kentwelcome May 13, 2026 07:09
kentwelcome
kentwelcome approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kentwelcome kentwelcome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kentwelcome kentwelcome merged commit f85cf33 into main May 13, 2026
19 checks passed
@kentwelcome kentwelcome deleted the chore/dependabot-20260513-134716 branch May 13, 2026 07:10
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Consolidates multiple Dependabot dependency updates (Python uv.lock + JS workspace package.jsons) into a single branch, and adds an additional docs-related ignore rule.

Changes:

  • Bump Python dependencies in uv.lock (GitPython, python-multipart, urllib3).
  • Bump frontend and Storybook tooling dependencies (Next.js, React, Vitest, Storybook, Playwright, Tailwind, etc.) while keeping @vitejs/plugin-react on v5.
  • Extend .gitignore to ignore docs/investigations outputs.

Reviewed changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.

File Description
uv.lock Updates locked Python package versions and artifacts for security/patch releases.
js/package.json Updates JS dependency versions and several pnpm.overrides entries to align the workspace resolution.
js/packages/storybook/package.json Updates Storybook/playwright/vitest-related dev dependencies.
.gitignore Adds an ignore rule for docs/investigations/.
Comments suppressed due to low confidence (1)

js/package.json:130

  • In the pnpm.overrides block, @mui/material and @mui/system are still set to "^9.0.0" while the direct dependencies were bumped to "^9.0.1". This means the override no longer reflects the updated floor/alignment described in the PR and could allow resolving 9.0.0 in other workspaces if the direct dep constraint changes. Consider bumping these overrides to match the new dependency range (or removing them if they’re no longer needed).
      "happy-dom": "^20.9.0",
      "@emotion/styled": "^11.14.1",
      "@mui/material": "^9.0.0",
      "@mui/system": "^9.0.0",
      "@xyflow/react": "^12.10.2",

@gcko gcko mentioned this pull request May 26, 2026
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kentwelcome kentwelcome kentwelcome approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gcko @kentwelcome