chore(deps): batch dependency bumps (closes most Dependabot PRs)#42
Merged
Conversation
Consolidates 17 of 19 mergeable Dependabot PRs into one branch with one CI run, instead of cascading lockfile conflicts across sequential merges. Bumps applied (versions match Dependabot proposals): Runtime: - @blockfrost/blockfrost-js ^6.1.0 -> ^6.1.1 - @fastify/static ^9.0.0 -> ^9.1.3 (CVE-2026-6410, -6414 path traversal) - @fastify/swagger-ui ^5.2.5 -> ^5.2.6 - @sentry/node ^10.38 -> ^10.53.1 - fastify ^5.7.4 -> ^5.8.5 - ioredis ^5.9.2 -> ^5.10.1 - pino ^10.3.0 -> ^10.3.1 - zod ^4.3.6 -> ^4.4.3 Dev: - @eslint/js ^9.39.2 -> ^9.39.4 - @types/node ^25.2.0 -> ^25.8.0 - eslint ^9.39.2 -> ^9.39.4 - eslint-config-airbnb-ext ^3.0.1 -> ^3.1.0 - eslint-plugin-n ^17.23 -> ^18.0.1 (MAJOR) - lint-staged ^16.2 -> ^17.0.4 (MAJOR) - prettier ^3.8.1 -> ^3.8.3 - tsx ^4.21.0 -> ^4.22.0 - typescript-eslint ^8.54.0 -> ^8.59.3 Transitive bumps (lockfile-only) refreshed via pnpm install. Closes the many Dependabot PRs that were just security-advisory-driven lockfile updates (flatted, yaml, lodash, picomatch, minimatch, brace-expansion, effect, fast-uri, postcss, vite, etc.). Held back (with reason): - @lucid-evolution/lucid 0.4.29 (EXACT pin, was ^0.4.29). Dependabot PR #19 proposed 0.4.30 -- locally reproduced the test failure: importing lucid triggers libsodium-wrappers-sumo's auto-init which throws `Cannot read properties of undefined (reading 'then')`, breaking 4 test files (cbor, checks, verify-payment, demo). Pinning exact prevents the bad version being pulled in by future updates. Unpin when @lucid-evolution releases a version that fixes the libsodium init regression. - @lucid-evolution/provider 0.1.90 (EXACT pin, was ^0.1.90). Same upstream issue (PR #17). Provider's dep graph reaches lucid 0.4.30 via peer deps when un-pinned. - vitest ^4.0.18 (NOT bumped to 4.1.6). - @vitest/coverage-v8 ^4.0.18 (NOT bumped to 4.1.6). Locally reproduced: vitest 4.1.x triggers the SAME libsodium init failure as lucid 0.4.30 -- different surface, same root cause. Holding at 4.0.18 until either vitest or libsodium-wrappers-sumo ships a fix. Vuln impact: - pnpm audit (full): 47 -> 26 - pnpm audit --prod: 29 (16h, 13m) -> 11 (7h, 4m) Remaining are inside @lucid-evolution/lucid > @cardano-sdk/core > ip-address; unblocked when we can move off lucid 0.4.29. Local validation: typecheck clean, lint clean, 33 files / 443 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates 17 of 19 mergeable Dependabot PRs into one branch with one CI run, instead of cascading lockfile conflicts across sequential merges. Two PRs explicitly skipped due to upstream-blocking test failures (documented below).
Vuln impact
The remaining 11 prod vulns are all inside `@lucid-evolution/lucid > @cardano-sdk/core > ip-address` — unblocked when we can move off lucid 0.4.29 (see "held back" section).
Closes
These Dependabot PRs are resolved by this batch (will auto-close on merge):
Held back (with reason)
`@lucid-evolution/lucid` 0.4.29 (exact pin, was ^0.4.29) and `@lucid-evolution/provider` 0.1.90 (exact pin)
Dependabot PRs #19 and #17 propose bumping to 0.4.30 / 0.1.91. Reproduced locally: importing lucid 0.4.30 triggers `libsodium-wrappers-sumo`'s auto-init code which throws:
```
TypeError: Cannot read properties of undefined (reading 'then')
❯ node_modules/.pnpm/libsodium-wrappers-sumo@0.8.2/.../libsodium-wrappers.mjs:1:58
❯ src/verify/checks.ts:10:1 // import { CML } from '@lucid-evolution/lucid';
```
Breaks 4 test files (`cbor.test.ts`, `checks.test.ts`, `verify-payment.test.ts`, one more). Exact-pinning prevents the bad version being pulled in by any future patch updates. Unpin when @lucid-evolution releases a version that fixes the libsodium init regression.
`vitest` and `@vitest/coverage-v8` held at ^4.0.18
Dependabot proposes 4.1.6 (part of #14 dev-deps group). Reproduced locally: vitest 4.1.x triggers the SAME libsodium init failure as lucid 0.4.30 — different surface, same root cause (vitest's ESM loader changes between 4.0 and 4.1 expose a libsodium-wrappers-sumo race that 4.0 didn't). The rest of the #14 group (prettier, @vitest/coverage-v8 stays in sync, @types/node, vitest, eslint-config-airbnb-extended) is applied. Hold until vitest 4.1.x or libsodium ships a fix.
Test plan
🤖 Generated with Claude Code