Skip to content

chore(deps): consolidate dependabot updates#1288

Merged
gcko merged 2 commits intomainfrom
chore/dependabot
Apr 10, 2026
Merged

chore(deps): consolidate dependabot updates#1288
gcko merged 2 commits intomainfrom
chore/dependabot

Conversation

@gcko
Copy link
Copy Markdown
Contributor

@gcko gcko commented Apr 10, 2026

Summary

Consolidates the following Dependabot PRs into a single tested update:

Changes

Package From To Ecosystem
cryptography 46.0.5 46.0.7 pip (SECURITY)
deepdiff <9.0 <10.0 pip
pygments 2.19.2 2.20.0 pip
@amplitude/unified 1.0.5 1.0.15 npm
@amplitude/analytics-core ^2.44.0 ^2.44.1 npm
@biomejs/biome 2.4.9 2.4.10 npm
@codemirror/view ^6.40.0 ^6.41.0 npm
@next/third-parties 16.2.1 16.2.2 npm
@playwright/test ^1.58.2 ^1.59.1 npm
@sentry/nextjs ^10.46.0 ^10.47.0 npm
@sentry/react ^10.46.0 ^10.47.0 npm
@storybook/* ^10.3.3 ^10.3.4 npm
@tanstack/react-query 5.95.2 5.96.1 npm
@tsdown/css ^0.21.5 ^0.21.7 npm
@xyflow/react ^12.10.1 ^12.10.2 npm
baseline-browser-mapping ^2.10.11 ^2.10.13 npm
lodash ^4.17.23 ^4.18.1 npm
next 16.2.1 16.2.2 npm
playwright ^1.58.2 ^1.59.1 npm
read-excel-file ^7.0.3 ^8.0.3 npm (MAJOR)
tsdown ^0.21.5 ^0.21.7 npm
write-excel-file ^3.0.6 ^3.0.8 npm

Notes

  • read-excel-file v8: Major version bump. The v8 API returns sheet objects { sheet, data }[] instead of flat row arrays. Updated excel.test.ts to use the new API.
  • cryptography 46.0.7: Security patch for CVE-2026-39892 (buffer overflow) and CVE-2026-34073 (name constraints bypass).
  • @datarecce/ui dependency floors: Intentionally NOT bumped per project convention — only root package.json and overrides updated.

Test plan

  • Python: 1022 tests pass
  • Frontend: 3641 tests pass
  • Lint passes (Python + Biome)
  • Type-check passes
  • Build succeeds (Next.js 16.2.2)
  • Manual verification

Generated with Claude Code

@gcko @claude
chore(deps): consolidate dependabot updates
62c9372 
Updates:
- cryptography: 46.0.5 → 46.0.7 (security: CVE-2026-39892, CVE-2026-34073)
- deepdiff: <9.0 → <10.0 (upper bound relaxation)
- pygments: 2.19.2 → 2.20.0
- @amplitude/unified: 1.0.5 → 1.0.15
- @amplitude/analytics-core: ^2.44.0 → ^2.44.1
- @biomejs/biome: 2.4.9 → 2.4.10
- @codemirror/view: ^6.40.0 → ^6.41.0
- @next/third-parties: 16.2.1 → 16.2.2
- @playwright/test: ^1.58.2 → ^1.59.1
- @sentry/nextjs: ^10.46.0 → ^10.47.0
- @sentry/react: ^10.46.0 → ^10.47.0
- @storybook/*: ^10.3.3 → ^10.3.4
- @tanstack/react-query: 5.95.2 → 5.96.1
- @tsdown/css: ^0.21.5 → ^0.21.7
- @xyflow/react: ^12.10.1 → ^12.10.2
- baseline-browser-mapping: ^2.10.11 → ^2.10.13
- lodash: ^4.17.23 → ^4.18.1
- next: 16.2.1 → 16.2.2
- playwright: ^1.58.2 → ^1.59.1
- read-excel-file: ^7.0.3 → ^8.0.3 (major; updated test for v8 API)
- tsdown: ^0.21.5 → ^0.21.7
- write-excel-file: ^3.0.6 → ^3.0.8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jared Scott <jared.scott@datarecce.io>
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 10, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gcko gcko requested review from Copilot and kentwelcome April 10, 2026 06:44
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Consolidates multiple Dependabot updates (Python + JS) into one set of dependency bumps, with a small test adjustment to accommodate the read-excel-file v8 API shape.

Changes:

  • Python: widen deepdiff constraint to allow <10.0 and update lockfile accordingly.
  • Frontend: bump multiple JS deps (Next.js, Sentry, lodash, Playwright/Storybook, etc.) and refresh pnpm-lock.yaml.
  • UI tests: update Excel blob parsing test helper for the updated read-excel-file return format.

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
uv.lock Updates locked dependency metadata to reflect the widened deepdiff constraint.
pyproject.toml Widens deepdiff requirement from <9.0 to <10.0.
js/pnpm-lock.yaml Updates the JS dependency graph/lock to the consolidated set of bumps.
js/packages/ui/src/utils/csv/__tests__/excel.test.ts Adjusts Excel parsing test helper for read-excel-file v8 sheet return shape.
js/packages/ui/package.json Bumps dev-only tooling deps (and read-excel-file) used in the UI workspace.
js/packages/storybook/package.json Bumps Storybook/Playwright dev dependencies.
js/package.json Bumps root app dependencies and pnpm.overrides to align the monorepo on newer versions.

js/package.json
Comment on lines 146 to 150
"minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
"minimatch@>=10.0.0 <10.2.3": ">=10.2.3",
"rollup@>=4.0.0 <4.59.0": ">=4.59.0",
"@amplitude/unified": "1.0.5"
"@amplitude/unified": "1.0.15"
},
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pnpm.overrides forces @amplitude/unified to 1.0.15 across the monorepo, but @datarecce/ui declares a pinned dependency of @amplitude/unified at 1.0.1 (and the dependency contract doc calls it “Pinned. Exact version required”). This means CI/dev is no longer exercising the version that consumers of the published @datarecce/ui package will actually install, which can hide compatibility issues. Consider either updating js/packages/ui/package.json (and DEPENDENCIES.md) to the new pinned version, or removing the override / aligning root versions so the tested version matches the published contract.

Copilot uses AI. Check for mistakes.
kentwelcome
kentwelcome approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kentwelcome kentwelcome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gcko
Copy link
Copy Markdown
Contributor Author

gcko commented Apr 10, 2026
edited
Loading

Updated Review — PR #1288

Summary

Dependency consolidation PR. All checks pass after proper pnpm install. The read-excel-file v8 migration is correct.

Correction: Initial review flagged 14 test failures and a TypeScript error for the read-excel-file v8 migration. This was a false positive — my node_modules was stale (still had v7.0.3 installed while lockfile specified v8.0.3). After pnpm install, all 17 Excel tests pass and TypeScript compiles clean.

Findings

[Info] read-excel-file v8 migration — verified correct

File: js/packages/ui/src/utils/csv/__tests__/excel.test.ts:14-16

The v8 API for read-excel-file/browser does return { sheet, data }[] (array of sheet objects). The 3-line change in parseExcelBlob correctly adapts to this. All 17 tests pass with v8.0.3 installed.

[Info] lodash 4.18.x — verified legitimate

File: js/package.json:65

lodash 4.18.1 is published on npm by the lodash maintainers (2026-03-15). Legitimate release after years at 4.17.x.

Verification Results

Check Result
Python tests (1037) PASS
Python lint (flake8) PASS
Frontend lint (Biome) PASS
Frontend build (Next.js) PASS
Frontend type check PASS
Frontend tests (3644) PASS (all 17 Excel tests included)
@datarecce/ui dep floors Correct — not bumped (changes are devDependencies only)
deepdiff <10.0 Safe — only uses DeepDiff() with ignore_order=True, no removed APIs
pnpm.overrides consistency Correct — all shared packages properly overridden

Verdict

Approved — All dependency updates verified. Tests, lint, type check, and build all pass. The read-excel-file v8 API adaptation is correct. Python deps (deepdiff, cryptography, pygments) are safe upgrades.

gcko
gcko commented Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@gcko gcko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review: Critical issues found — read-excel-file v8 migration breaks 14 tests and TypeScript type check. See review comment for details.

@gcko gcko merged commit 2fc43fc into main Apr 10, 2026
24 checks passed
@gcko gcko deleted the chore/dependabot branch April 10, 2026 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kentwelcome kentwelcome kentwelcome approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gcko @kentwelcome