chore(deps): bump lodash from 4.17.21 to 4.17.23#3828
chore(deps): bump lodash from 4.17.21 to 4.17.23#3828dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
bot
added
dependencies
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
3 similar comments
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/lodash-4.17.23
branch
from
0401f70 to
fc1acc7
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
1 similar comment
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| needle@https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b: | ||
| resolution: {tarball: https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b} | ||
| needle@git+https://git@github.com:clearbit/needle.git#84d28b5f2c3916db1e7eb84aeaa9d976cc40054b: | ||
| resolution: {commit: 84d28b5f2c3916db1e7eb84aeaa9d976cc40054b, repo: git@github.com:clearbit/needle.git, type: git} |
There was a problem hiding this comment.
pnpm lock uses SSH git URL
High Severity
pnpm-lock.yaml changes the clearbit/needle dependency from an HTTPS tarball to an SSH-style git+https://git@github.com:... URL. This can break installs in CI/containers that don’t have Git/SSH credentials configured, causing dependency resolution failures unrelated to the lodash bump.
Additional Locations (2)
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/lodash-4.17.23
branch
from
fc1acc7 to
e03abe3
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
| '@aws-sdk/client-sso-oidc': 3.572.0 | ||
| '@aws-sdk/client-sts': 3.572.0(@aws-sdk/client-sso-oidc@3.572.0) | ||
| '@aws-sdk/client-sso-oidc': 3.572.0(@aws-sdk/client-sts@3.572.0) | ||
| '@aws-sdk/client-sts': 3.572.0 |
There was a problem hiding this comment.
Circular dependency resolution inversion for AWS SDK
High Severity
The lodash bump inadvertently inverted the circular dependency resolution between @aws-sdk/client-sts and @aws-sdk/client-sso-oidc. Previously, client-sts was parameterized with client-sso-oidc, now it's reversed. This changes which package pnpm treats as the dependency graph root and could cause @aws-sdk/client-bedrock-runtime to fail authentication at runtime when obtaining AWS credentials through SSO.
Additional Locations (2)
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/lodash-4.17.23
branch
from
e03abe3 to
0c25a3a
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
3 similar comments
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
Bumps lodash from 4.17.21 to 4.17.23.
Commits
dec55b7Bump main to v4.17.23 (#6088)19c9251fix: setCacheHas JSDoc return type should be boolean (#6071)b5e6729jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)edadd45Prevent prototype pollution on baseUnset function4879a7adoc: fix autoLink function, conversion of source links (#6056)9648f69chore: removeyarn.lockfile (#6053)dfa407dci: remove legacy configuration files (#6052)156e196feat: add renovate setup (#6039)933e106ci: add pipeline for Bun (#6023)072a807docs: update links related to Open JS Foundation (#5968)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Dependency-only change; main risk is subtle runtime behavior differences from the Lodash patch update and lockfile source/peer-resolution changes.
Overview
Bumps
lodashfrom4.17.21to4.17.23inbackend,members_enrichment_worker, anddata-access-layerpackages.Regenerates
pnpm-lock.yamlto reflect the updated Lodash version across transitive dependents, and also normalizes the Clearbitneedlelock entry to agit+httpssource plus minor AWS SDK peer-dependency graph adjustments from the lockfile rewrite.Written by Cursor Bugbot for commit 0c25a3a. This will update automatically on new commits. Configure here.