Bump axios, @docusaurus/core, @docusaurus/preset-classic and docusaurus-plugin-fathom in /docs#380
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
Contributor
Benchmark Resultsbench/1-buffer-vector-add.bench.mo
|
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 9_557 |
5_687_594 |
525_783_888 |
| Vector | 13_525 |
4_378_612 |
417_864_498 |
Heap
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 272 B |
272 B |
272 B |
| Vector | 272 B |
272 B |
272 B |
Garbage Collection
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 1.09 KiB |
143.28 KiB |
12.02 MiB |
| Vector | 1.09 KiB |
45.65 KiB |
3.86 MiB |
bench/2-vector-buffer-add.bench.mo $({\color{green}-10.02\%})$
Add
Add items one-by-one
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 13_525 |
4_378_966 |
417_886_092 |
| Buffer | 9_557 |
5_686_886 |
525_781_056 |
Heap
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 272 B |
272 B |
272 B |
| Buffer | 272 B |
272 B |
272 B |
Garbage Collection
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 1.09 KiB |
45.65 KiB |
3.86 MiB |
| Buffer | 1.09 KiB |
143.28 KiB |
12.02 MiB |
bench/array.bench.mo $({\color{green}-17.47\%})$
Array
arr arr
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 13_502_096 |
3_335 |
27_003_270 |
3_809 |
54_004_127 |
4_283 |
Heap
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 390.9 KiB |
-390.37 KiB |
390.9 KiB |
-390.37 KiB |
390.9 KiB |
-390.37 KiB |
Garbage Collection
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 360 B |
390.97 KiB |
391 KiB |
390.97 KiB |
1.14 MiB |
390.97 KiB |
bench/prng.bench.mo $({\color{gray}0\%})$
Prng
Benchmark N next calls for different PRNGs
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 1_694 | 15_194 | 150_194 | 1_500_194 |
| SFC64 | 2_802 | 28_962 | 288_557 | 2_882_655 |
| SFC32 | 2_383 | 23_825 | 237_026 | 2_379_333 |
Heap
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 272 B | 272 B | 272 B | 272 B |
| SFC64 | 308 B | 272 B | 272 B | 272 B |
| SFC32 | 280 B | 280 B | 272 B | 272 B |
Garbage Collection
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 296 B | 296 B | 296 B | 296 B |
| SFC64 | 536 B | 4.98 KiB | 47.16 KiB | 469.04 KiB |
| SFC32 | 376 B | 1.78 KiB | 15.39 KiB | 156.11 KiB |
bench/removeLast.bench.mo $({\color{green}-10.90\%})$
Remove items using removeLast
Vector and buffer are initialized with 100k items and then 70k items are removed one-by-one.
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| remove 70k | |
|---|---|
| Vector | 27_707_716 |
| Buffer | 29_236_977 |
Heap
| remove 70k | |
|---|---|
| Vector | -136.8 KiB |
| Buffer | -269.76 KiB |
Garbage Collection
| remove 70k | |
|---|---|
| Vector | 139.45 KiB |
| Buffer | 540.43 KiB |
bench/stable-memory.bench.mo $({\color{green}-134.03\%})$
Stable Memory and Region
Grow Region and store blobs in it
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 2_627_005 |
10_496_206 |
2_693 |
| 100 pages | 52_467_025 |
104_914_690 |
2_698 |
| 256 pages | 134_273_926 |
268_574_327 |
3_246 |
Heap
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 272 B |
272 B |
276 B |
| 100 pages | 272 B |
272 B |
272 B |
| 256 pages | 272 B |
272 B |
276 B |
Garbage Collection
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 208.34 KiB |
832.38 KiB |
336 B |
| 100 pages | 4.06 MiB |
8.13 MiB |
340 B |
| 256 pages | 10.4 MiB |
20.8 MiB |
340 B |
Stable Memory
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 8 MiB |
8 MiB |
8 MiB |
| 100 pages | 8 MiB |
8 MiB |
0 B |
| 256 pages | 16 MiB |
16 MiB |
16 MiB |
4 tasks
Kamirus
added a commit
that referenced
this pull request
Mar 23, 2026
## Summary - Bumped `tar` (7.5.9 → 7.5.11) and `minimatch` (10.0.1 → 10.2.4) in `cli/package.json` — security fixes for path traversal and ReDoS - Updated `cli/package-lock.json` and `docs/package-lock.json` transitive deps in-place to pick up security patches (lodash, js-yaml, node-forge, jws, undici, flatted, ajv, etc.) - `cli-releases/frontend` changes come from merged PR #340 (vite 5.2.6 → 5.4.21) - `frontend/package-lock.json` reverted to main — `npm update --legacy-peer-deps` introduced a `@dfinity/agent` ↔ `@dfinity/candid` peer dep conflict that broke CI - `blog/package-lock.json` was already up to date (no changes needed) ### What was NOT included and why - **`frontend/package-lock.json`** — peer dep conflict between `@dfinity/agent@1.0.1` and `@dfinity/candid@0.19.3` prevents a clean lockfile update. Needs a coordinated `@dfinity/*` dependency bump in a separate PR. - **Unfixable transitive vulns in CLI** — `axios` (via `wasm-pack` → `binary-install`) and `esbuild` (via `tsx`) can't be updated without breaking upstream. Pre-existing on main. ### Closed dependabot PRs (replaced by this PR) #368, #341, #344, #338, #345, #346, #349, #323, #328, #382, #353, #359, #357, #348, #325, #324, #421, #419, #379, #377 ## Test plan - [x] Benchmarks pass - [x] mops test passes (node 20 + node 24, all install methods) - [ ] CI workflow passes - [ ] Code quality (lint, format) passes ## Verification Ran findings-verifier on both direct dependency bumps: - **minimatch 10.0.1 → 10.2.4**: All changes are additive (new options, perf/security hardening). CLI uses a simple glob pattern unaffected by any changes. - **tar 7.5.9 → 7.5.11**: Pure security fixes in extraction path validation. No API surface changes. CLI's tar usage (create + extract) is standard and unaffected. - **No new peer deps**, no engine requirement changes, no breaking API changes. --- ## Remaining Open PRs — TODO ### Review & Merge (real package.json bumps, security fixes) | PR | What | Status | |---|---|---| | #336 | Vite 5.2.6 → 5.4.21 in `/frontend` | Multiple CVEs fixed | | #361 | Elliptic + ic-mops in `/frontend` | Critical crypto vulnerability | | #367 | Tar + ic-mops in `/frontend` | Tar path traversal fix | | #420 | Devalue + @sveltejs/kit in `/cli-releases/frontend` | Real package.json bump | ### Need @dependabot rebase (merge conflict with main) | PR | What | Status | |---|---|---| | #372 | Tar 7.5.6 → 7.5.7 in `/cli` | Now superseded — tar bumped to 7.5.11 in this PR | | #342 | Glob 11.0.1 → 11.1.0 in `/cli` | Security fix — GHSA-5j98-mcp5-4vw2 | ### Need Careful Review (major version bumps, risk of breakage) | PR | What | Status | |---|---|---| | #380 | Docusaurus 2.4.3 → 3.9.2 in `/docs` | Major v2 → v3. Test docs locally. | | #329 | vite-plugin-static-copy 1.0.2 → 2.3.2 in `/frontend` | Major v1 → v2. Has security fix but API may differ. | ### Non-Dependabot PRs | PR | Author | What | |---|---|---| | #411 | rvanasa | Test global Mops installation in CI | | #363 | codecustard | Fix code page scroll naturally like docs page |
Collaborator
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/docs/multi-4d53e47611
branch
from
da0f4a6 to
3d402cc
Compare
…us-plugin-fathom Removes [axios](https://github.com/axios/axios). It's no longer used after updating ancestor dependencies [axios](https://github.com/axios/axios), [@docusaurus/core](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus), [@docusaurus/preset-classic](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus-preset-classic) and [docusaurus-plugin-fathom](https://github.com/pradel/docusaurus-plugin-fathom). These dependencies need to be updated together. Removes `axios` Updates `@docusaurus/core` from 2.4.3 to 3.9.2 - [Release notes](https://github.com/facebook/docusaurus/releases) - [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG-v2.md) - [Commits](https://github.com/facebook/docusaurus/commits/v3.9.2/packages/docusaurus) Updates `@docusaurus/preset-classic` from 2.4.3 to 3.9.2 - [Release notes](https://github.com/facebook/docusaurus/releases) - [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG-v2.md) - [Commits](https://github.com/facebook/docusaurus/commits/v3.9.2/packages/docusaurus-preset-classic) Updates `docusaurus-plugin-fathom` from 1.1.0 to 1.2.0 - [Commits](https://github.com/pradel/docusaurus-plugin-fathom/commits) --- updated-dependencies: - dependency-name: axios dependency-version: dependency-type: indirect - dependency-name: "@docusaurus/core" dependency-version: 3.9.2 dependency-type: direct:production - dependency-name: "@docusaurus/preset-classic" dependency-version: 3.9.2 dependency-type: direct:production - dependency-name: docusaurus-plugin-fathom dependency-version: 1.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/docs/multi-4d53e47611
branch
from
3d402cc to
a0a0ed0
Compare
Kamirus
added a commit
that referenced
this pull request
Mar 24, 2026
## Summary **Supersedes [#380](#380 — close that PR after merging this one. [#380](#380) is a Dependabot PR that bumps `@docusaurus/core` 2.4.3 → 3.9.2 in `/docs`. Its CI fails because simply bumping the core package isn't enough: Docusaurus v3 requires coordinated upgrades to React (17 → 18), `@mdx-js/react` (v1 → v3), `prism-react-renderer` (v1 → v2), a rewritten config format, MDX-v3-compatible content, and a webpack-dev-server v5 workaround. Dependabot can't do any of that automatically. This PR does the full migration by hand and also fixes a **dev server blank page** caused by a webpack 5.96+ regression — see Changes. ## Changes ### `/docs` — Docusaurus v3 migration - **Dependency upgrades**: `@docusaurus/*` 2.4 → 3.9.2; React 17 → 18; `@mdx-js/react` v1 → v3; `prism-react-renderer` v1 → v2; `docusaurus-plugin-fathom` patched; add `@docusaurus/types`, refresh `@tsconfig/docusaurus` and TypeScript. Add `webpack` as explicit `devDependency` (imported directly in config). Bump `engines.node` to `>=20.0` to match Docusaurus 3.9.2. - **`docusaurus.config.js`**: Migrated from CJS (`module.exports`) to fully-ESM (`export default`). Updated `prism-react-renderer` imports to v2 API (`import {themes as prismThemes}`). Migrated deprecated `onBrokenMarkdownLinks` top-level option to `markdown.hooks.onBrokenMarkdownLinks`. Replaced `require.resolve()` calls with bare strings / top-level ESM imports throughout. - **`09-mops.toml.md`**: Escaped `<placeholder>` angle bracket syntax in table cells (MDX v3's stricter JSX parser rejects raw angle brackets outside code spans). Used inline code for placeholders, consistent with Docusaurus 3 rendering. - **`HomepageFeatures/index.tsx` + `index-old.tsx`**: Replaced `JSX.Element` with `React.ReactElement` for `tsc` compatibility under React 18's updated `@types/react`. - **HMR dev-server fix**: Webpack 5.96+ broke Hot Module Replacement when `webpack-dev-server` applies `HotModuleReplacementPlugin` after compiler creation — `module.hot` evaluates to `false` at compile time and the dev page is blank. Added a `webpack-hmr-compat` Docusaurus plugin that registers the plugin before compiler instantiation (the only ordering that works). Production builds are not affected (`config.mode === 'production'` guard). See [webpack/webpack#19120](webpack/webpack#19120). ### `/frontend` - **`package.json`**: Changed `npm run start` script from `DFX_NETWORK=local` (hardcoded) to `DFX_NETWORK=${DFX_NETWORK:-local}` so the network can be overridden from the shell. This makes it possible to run the frontend locally against the production IC canister without any local replica — see testing section below. ## Notes - The net-zero commits (`0b17bdf` + `1105a15`) are a reverted experiment on the frontend canister ID config; they have no net effect on the tree. ## How to test ### CI smoke test (automated) ```sh cd docs && npm ci && npm run build && npm run typecheck ``` ### Docs dev server (manual — verifies HMR fix) ```sh # From repo root: npm run start-docs # docs dev server at http://localhost:3001 # Open http://localhost:3001 — should show the Introduction page with sidebar # Edit any .md file under docs/docs/ — page should hot-reload without full refresh ``` ### Frontend against production IC (no dfx needed) The `DFX_NETWORK` env var fix makes this possible. The dev server reads `canister_ids.json` from the repo root (already committed), points the IC agent at `https://icp-api.io`, and serves the full UI against the live production canister: ```sh # From repo root — no dfx replica, no dfx deploy needed: DFX_NETWORK=ic npm run start-registry # Open http://localhost:3000 ``` Or from the `frontend/` directory directly: ```sh cd frontend && DFX_NETWORK=ic npm run start ``` ### Verified locally | Check | Result | |---|---| | `docs: npm run build` | ✅ Static files generated | | `docs: npm run typecheck` | ✅ No type errors | | `docs: npm run start` | ✅ Page renders, HMR enabled, zero JS errors | | Navigate to `mops.toml` page | ✅ Client-side routing works | | `DFX_NETWORK=ic npm run start-registry` | ✅ Vite starts, reads IC canister IDs | | `frontend: svelte-check` | ✅ 0 errors | | `frontend: tsc` | ✅ 0 errors |
Collaborator
|
@dependabot rebase |
Contributor
Author
|
Looks like these dependencies are no longer a dependency, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/docs/multi-4d53e47611
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes axios. It's no longer used after updating ancestor dependencies axios, @docusaurus/core, @docusaurus/preset-classic and docusaurus-plugin-fathom. These dependencies need to be updated together.
Removes
axiosUpdates
@docusaurus/corefrom 2.4.3 to 3.9.2Release notes
Sourced from
@docusaurus/core's releases.... (truncated)
Changelog
Sourced from
@docusaurus/core's changelog.Commits
abfbe56v3.9.2598af3bfix(core): allowi18n.localeConfigs.translatein validation (#11452)c3e5db1chore: release v3.9.1 (#11436)e41fa2efix(core): fix Docusaurus outDir for sites using baseUrl (#11434)c24d7dcchore: release v3.9 (#11419)4dc0576fix(theme): fix copy of indented code blocks, replace copy-text-to-clipboard ...a9bab41feat(faster): upgrade Rspack to 1.5, use lazyBarrel experiment, remove deprec...af3d5cafix(deps): upgrade webpack-dev-server to v5, fix security warning (#11410)1c484e1chore: drop support for Node 18, that reached End-of-Life (#11408)2febb76feat(core): Addi18n.localeConfigs[locale].{url,baseUrl}config options (#1...Updates
@docusaurus/preset-classicfrom 2.4.3 to 3.9.2Release notes
Sourced from
@docusaurus/preset-classic's releases.... (truncated)
Changelog
Sourced from
@docusaurus/preset-classic's changelog.Commits
abfbe56v3.9.2c3e5db1chore: release v3.9.1 (#11436)c24d7dcchore: release v3.9 (#11419)1c484e1chore: drop support for Node 18, that reached End-of-Life (#11408)f811e2dchore: release 3.8.1 (#11249)b126e64chore: release Docusaurus 3.8 (#11200)abd04a2feat(theme): new CSS cascade layers plugin + built-in `v4.useCssCascadeLayers...71d682cchore: release Docusaurus 3.7.0 (#10812)0f29a37feat: Add React 19 support to Docusaurus v3 (#10763)df6f53afeat(svgr): create new Docusaurus SVGR plugin (#10677)Updates
docusaurus-plugin-fathomfrom 1.1.0 to 1.2.0Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.