Skip to content

chore(deps): bump vulnerable deps #3461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fredericoo merged 14 commits into from
Feb 16, 2026
Merged

chore(deps): bump vulnerable deps #3461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
52e64a5
chore(deps): bump vulnerable deps
fredericoo Feb 10, 2026
398223e
chore: lockfile
fredericoo Feb 10, 2026
a6c4f57
chore: lockfile
fredericoo Feb 10, 2026
90a3189
chore: lockfile
fredericoo Feb 10, 2026
95f4e7f
chore(deps): explicitly add hoisted deps
fredericoo Feb 10, 2026
8c3e414
chore: resolve package conflicts
fredericoo Feb 10, 2026
1d4134a
test: adjust error msg
fredericoo Feb 10, 2026
cde6977
chore: fmt with prettier
fredericoo Feb 10, 2026
e22e32a
fix: tsc
fredericoo Feb 10, 2026
8536ab6
revert: changes to claude
fredericoo Feb 10, 2026
ee88b03
chore: normalise prettier version
fredericoo Feb 10, 2026
bf5c1ce
chore: changesets
fredericoo Feb 10, 2026
35059cf
fix: eslint
fredericoo Feb 10, 2026
da63bd6
test: update snapshot
fredericoo Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/brave-tigers-run.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@shopify/mini-oxygen': patch
---

Updated `undici` to `7.21.0` and `body-parser` to `1.20.4` to resolve known vulnerabilities.
5 changes: 5 additions & 0 deletions .changeset/itchy-balloons-see.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@shopify/cli-hydrogen': patch
---

Updated `prettier` from v2 to v3.
Copy link
Copy Markdown
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this harmless? i had to update a test snapshot because it formats thigns slightlyyy differently

i know cli-hydrogen formats files after it adds them to the projects – i wonder if it wouldn’t be best to have this as a peer dep instead in the future and avoid bundling it with the cli binary

the reason why is that the user may be using another version of prettier, or no prettier at all, in which case we simply should skip formatting instead of forcing down our version of it!

Copy link
Copy Markdown
Contributor

@itsjustriley itsjustriley Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is safe to merge, but we can open an issue to refactor.

6 changes: 6 additions & 0 deletions .changeset/smooth-owls-wave.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
'@shopify/hydrogen': patch
'@shopify/hydrogen-react': patch
---

Updated transitive dependencies (`form-data`, `vite`) to resolve known vulnerabilities.
4 changes: 2 additions & 2 deletions cookbook/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@
"inquirer": "^12.4.2",
"istextorbinary": "9.5.0",
"ts-node": "^10.9.2",
"yaml": "^2.4.2",
Copy link
Copy Markdown
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing peer dep, npm hoisted from ✨somewhere✨

"yargs": "^17.7.2",
"zod": "^3.24.2",
"zod-to-json-schema": "^3.24.5"
"zod": "^4.0.0"
},
"devDependencies": {
"@types/inquirer": "^9.0.9",
Expand Down
4 changes: 2 additions & 2 deletions cookbook/src/commands/schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import {CommandModule} from 'yargs';
import {zodToJsonSchema} from 'zod-to-json-schema';
Copy link
Copy Markdown
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as of zod 4 we no longer need to use an external library

import {z} from 'zod';
import fs from 'fs';
import {COOKBOOK_PATH} from '../lib/constants';
import path from 'path';
Expand All @@ -15,7 +15,7 @@ export const schema: CommandModule<{}, SchemaArgs> = {
};

async function handler(_: SchemaArgs) {
const jsonSchema = zodToJsonSchema(RecipeSchema);
const jsonSchema = z.toJSONSchema(RecipeSchema);
console.log(JSON.stringify(jsonSchema, null, 2));

fs.writeFileSync(
Expand Down
2 changes: 1 addition & 1 deletion cookbook/src/lib/recipe.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ export const RecipeSchema = z.object({
.default([]),
})
.optional()
.default({}),
.default({userQueries: [], troubleshooting: []}),
});

export type Recipe = z.infer<typeof RecipeSchema>;
Expand Down
8 changes: 4 additions & 4 deletions cookbook/src/lib/validate.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ describe('formatValidationError', () => {
it('should format error with line number and location', () => {
const error = {
validator: 'RecipeSchema',
message: 'Expected string, received number',
message: 'Invalid input: expected string, received number',
Copy link
Copy Markdown
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error message changed in zod 4

location: 'steps.0.step',
lineNumber: 52,
};
Expand All @@ -37,7 +37,7 @@ describe('formatValidationError', () => {

expect(formatted).toContain('recipe.yaml:52');
expect(formatted).toContain('steps.0.step');
expect(formatted).toContain('RecipeSchema: Expected string, received number');
expect(formatted).toContain('RecipeSchema: Invalid input: expected string, received number');
});

it('should format error without line number', () => {
Expand Down Expand Up @@ -740,8 +740,8 @@ commit: abc123

const errorOutput = consoleErrorSpy.mock.calls.map(call => call[0]).join('\n');

expect(errorOutput).toContain('Expected string, received number (actual value: 1)');
expect(errorOutput).toContain('Expected string, received number (actual value: 2)');
expect(errorOutput).toContain('Invalid input: expected string, received number (actual value: 1)');
expect(errorOutput).toContain('Invalid input: expected string, received number (actual value: 2)');
});

it('should collect and format all validation errors with line numbers', () => {
Expand Down
10 changes: 6 additions & 4 deletions cookbook/src/lib/validate.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,9 @@ export function handleZodErrorFromLoadRecipe(
recipeYamlPath: string,
): void {
const errors: ValidationError[] = error.issues.map((issue) => {
const lineNumber = getYamlLineNumber(recipeYamlPath, issue.path);
const actualValue = getYamlValue(recipeYamlPath, issue.path);
const issuePath = issue.path as (string | number)[];
Copy link
Copy Markdown
Contributor Author

@fredericoo fredericoo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zod 4 fixed this type to PropertyKey (it was always PropertyKey in runtime, but it was typed as string | number)

const lineNumber = getYamlLineNumber(recipeYamlPath, issuePath);
const actualValue = getYamlValue(recipeYamlPath, issuePath);

let message = issue.message;
if (actualValue !== null) {
Expand Down Expand Up @@ -366,8 +367,9 @@ export function validateRecipe(params: {
} catch (error) {
if (error instanceof ZodError) {
error.issues.forEach((issue) => {
const lineNumber = getYamlLineNumber(recipeYamlPath, issue.path);
const actualValue = getYamlValue(recipeYamlPath, issue.path);
const issuePath = issue.path as (string | number)[];
const lineNumber = getYamlLineNumber(recipeYamlPath, issuePath);
const actualValue = getYamlValue(recipeYamlPath, issuePath);

let message = issue.message;
if (actualValue !== null) {
Expand Down
Loading