chore(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend/web#128
chore(deps-dev): bump svelte from 5.55.5 to 5.55.7 in /frontend/web#128dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) from 5.55.5 to 5.55.7. - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.7/packages/svelte) --- updated-dependencies: - dependency-name: svelte dependency-version: 5.55.7 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
Skipping PR review because a bot author is detected. If you want to trigger CodeAnt AI, comment |
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review Summary
Status: 2 Issues Found | Recommendation: Request Changes
Overview
| Severity | Count |
|---|---|
| CRITICAL | 1 |
| WARNING | 1 |
Issue Details (click to expand)
CRITICAL
| File | Line | Issue |
|---|---|---|
frontend/web/package.json |
58 | svelte 5.55.7 requires devalue ^5.8.1, but overrides/resolutions pin devalue to 5.7.1 (incompatible) |
WARNING
| File | Line | Issue |
|---|---|---|
frontend/web/yarn.lock |
1784 | devalue 5.7.1 resolves to ^5.8.1 range — semver violation caused by override |
Other Observations (not in diff)
The overrides and resolutions sections in package.json both pin devalue to 5.7.1. Svelte 5.55.7's package.json declares devalue: ^5.8.1. With Yarn 1.22.21, this forced downgrade will cause installation to fail with a version conflict error, as 5.7.1 is outside the ^5.8.1 range.
Required fix: Either remove the devalue override entirely or update both overrides and resolutions to devalue: "5.8.1" (or "^5.8.1"). The lockfile also needs regeneration after fixing package.json.
Files Reviewed (2 files)
frontend/web/package.json- 1 CRITICALfrontend/web/yarn.lock- 1 WARNING (symptom of root cause)
| "storybook": "^10.3.5", | ||
| "svelte": "^5.53.5", | ||
| "svelte": "^5.55.7", | ||
| "svelte-check": "^4.4.6", |
There was a problem hiding this comment.
CRITICAL: Version conflict: svelte 5.55.7 requires devalue ^5.8.1, but overrides.devalue: "5.7.1" and resolutions.devalue: "5.7.1" forcibly downgrade it. This creates an unsolvable dependency constraint — Yarn 1 will fail to install because 5.7.1 is not within ^5.8.1. Fix: update or remove the devalue override before merging.
| "svelte-check": "^4.4.6", | |
| "overrides": { | |
| /* ... other overrides ... */ | |
| "devalue": "5.8.1", | |
| /* ... */ | |
| }, | |
| "resolutions": { | |
| /* ... other resolutions ... */ | |
| "devalue": "5.8.1", | |
| /* ... */ | |
| }, |
| integrity sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ== | ||
|
|
||
| devalue@5.7.1, devalue@^5.6.4: | ||
| devalue@5.7.1, devalue@^5.6.4, devalue@^5.8.1: |
There was a problem hiding this comment.
WARNING: This lockfile entry shows devalue@5.7.1 resolving to the ^5.8.1 range — a semver violation. This is a symptom of the package.json override forcing an incompatible version. The lockfile must be regenerated after fixing the override.
Bumps svelte from 5.55.5 to 5.55.7.
Release notes
Sourced from svelte's releases.
... (truncated)
Changelog
Sourced from svelte's changelog.
... (truncated)
Commits
4d8f99aVersion Packages (#18220)0552308chore: bump devalue (#18219)e1cbbd9Merge commit from forka16ebc6Merge commit from forkd2375e2Merge commit from fork547853eMerge commit from fork55f9c85Version Packages (#18158)a10e8e4fix: keep dependencies of$state.eager/pending(alternative approach) (#1...ef4b97dfix: duplicated "of" in events.js comment (#18217)5122936fix: treat batches as a linked list (#18205)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.