Skip to content

chore(deps): bump vulnerable deps #3461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fredericoo wants to merge 14 commits into
base: main
Choose a base branch
from
Open

chore(deps): bump vulnerable deps #3461

fredericoo wants to merge 14 commits into from

Conversation

@fredericoo
Copy link
Contributor

@fredericoo fredericoo commented Feb 10, 2026
edited
Loading

low hanging fruit on dep versions

phase 1 (and a bit of 2) of https://github.com/orgs/Shopify/projects/4613/views/113?pane=issue&itemId=155935803&issue=Shopify%7Cdeveloper-tools-team%7C1035

Before

32 vulnerabilities (5 low, 14 moderate, 10 high, 3 critical)

After

24 vulnerabilities (4 low, 13 moderate, 6 high, 1 critical)

@shopify
Copy link
Contributor

shopify bot commented Feb 10, 2026
edited
Loading

Oxygen deployed a preview of your fb-audit-fix branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Skeleton (skeleton.hydrogen.shop) ✅ Successful (Logs) Preview deployment Inspect deployment February 10, 2026 8:22 PM

Learn more about Hydrogen's GitHub integration.

fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
cookbook/src/commands/schema.ts
@@ -1,5 +1,5 @@
import {CommandModule} from 'yargs';
import {zodToJsonSchema} from 'zod-to-json-schema';
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as of zod 4 we no longer need to use an external library

fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
cookbook/src/lib/validate.test.ts
const error = {
validator: 'RecipeSchema',
message: 'Expected string, received number',
message: 'Invalid input: expected string, received number',
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error message changed in zod 4

fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
cookbook/src/lib/validate.ts
const errors: ValidationError[] = error.issues.map((issue) => {
const lineNumber = getYamlLineNumber(recipeYamlPath, issue.path);
const actualValue = getYamlValue(recipeYamlPath, issue.path);
const issuePath = issue.path as (string | number)[];
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zod 4 fixed this type to PropertyKey (it was always PropertyKey in runtime, but it was typed as string | number)

fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
cookbook/package.json
"inquirer": "^12.4.2",
"istextorbinary": "9.5.0",
"ts-node": "^10.9.2",
"yaml": "^2.4.2",
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing peer dep, npm hoisted from ✨somewhere✨

fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
packages/hydrogen-react/src/AddToCartButton.tsx
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all changes to this package were because there was a different version of prettier running on it and now it is all the same

i think

@fredericoo fredericoo marked this pull request as ready for review February 10, 2026 19:52
@fredericoo fredericoo requested a review from a team as a code owner February 10, 2026 19:52
@github-actions

This comment has been minimized.

Sign in to view
fredericoo
fredericoo commented Feb 10, 2026
View reviewed changes
.changeset/itchy-balloons-see.md
'@shopify/cli-hydrogen': patch
---

Updated `prettier` from v2 to v3.
Copy link
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this harmless? i had to update a test snapshot because it formats thigns slightlyyy differently

i know cli-hydrogen formats files after it adds them to the projects – i wonder if it wouldn’t be best to have this as a peer dep instead in the future and avoid bundling it with the cli binary

the reason why is that the user may be using another version of prettier, or no prettier at all, in which case we simply should skip formatting instead of forcing down our version of it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andguy95 andguy95 Awaiting requested review from andguy95

@itsjustriley itsjustriley Awaiting requested review from itsjustriley

@kdaviduik kdaviduik Awaiting requested review from kdaviduik

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fredericoo