Skip to content

Lock file maintenance npm dependencies (main)#3370

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies
Open

Lock file maintenance npm dependencies (main)#3370
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies

Conversation

@red-hat-konflux

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 04:59 AM (* 0-4 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:49 AM UTC · Completed 4:58 AM UTC
Commit: 47d3320 · View workflow run →

@codecov

codecov Bot commented Jun 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 53.44% <ø> (+<0.01%) ⬆️
generative 16.79% <ø> (ø)
integration 27.66% <ø> (ø)
unit 69.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

Looks good to me


Labels: Lock file maintenance PR updating npm dependencies fits the 'dependencies' label.

Previous run

Review

Findings

High

  • [supply chain / dependency integrity] package-lock.json:302 — lodash is being updated from 4.17.21 to 4.18.1. As of mid-2025, lodash 4.17.21 was the latest release and the repository had been largely inactive. However, the current date is June 2026, meaning a legitimate 4.18.x release could have occurred in the intervening year. The version should be verified against the npm registry before merging.
    Remediation: Before merging: (1) Run npm view lodash versions or check https://www.npmjs.com/package/lodash to confirm 4.18.1 is a legitimate release. (2) If it does not exist or was published by an unexpected maintainer, reject this PR. (3) If legitimate, review the changelog before accepting.

Low

  • [supply chain / dependency verification] package-lock.json — The other dependency updates in this PR (fastq 1.19.1 → 1.20.1, picomatch 2.3.1 → 2.3.2, yaml 1.10.2 → 1.10.3) are routine minor/patch bumps from well-maintained packages. These are normal lock file maintenance updates produced by Renovate.

Labels: PR contains a dependency version bump that requires manual verification for supply chain integrity

fullsend-ai-review[bot]

This comment was marked as outdated.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies branch from 976122f to 4cf619c Compare July 3, 2026 02:18
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:22 AM UTC · Completed 2:29 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed their stale review July 3, 2026 02:29

Superseded by updated review

Comment thread package-lock.json
"version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
"version": "4.18.1",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] Supply Chain

lodash is being bumped from 4.17.21 to 4.18.1. This version was independently verified as a legitimate release published on 2026-04-01 by jonchurch (current lodash maintainer) via the lodash GitHub repository. The release contains bug fixes for ReferenceError in template and fromPairs functions in modular builds. No supply chain concern remains.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge dependencies Pull requests that update a dependency file labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file main Possible security concern ready-for-merge All reviewers approved — ready to merge renovate size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants