deps: bump testcontainers from 10.28.0 to 11.14.0#129
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
levente-simon
added a commit
that referenced
this pull request
May 12, 2026
* deps: routine pnpm update (minor/patch) * deps(go): bump aws-sdk-go-v2 (s3, cloudfront), golang.org/x/crypto Reconciles Dependabot PRs #221 #222 #223: - s3 1.100.1 -> 1.101.0 (3 Go modules in scope) - cloudfront 1.62.0 -> 1.63.0 (1 Go module in scope) - golang.org/x/crypto 0.50.0 -> 0.51.0 (1 Go module in scope) See 2026-05-12-weekly.md for per-module attribution. * chore(maintenance): record phase-5 remediation plan * fix(deps): broaden ajv@^6 override scope to root, resolve CVE-2025-69873 Alert #6 surfaced ajv 6.12.6 reaching the root lockfile via eslint-plugin-tsdoc -> @microsoft/tsdoc (transitive devDep). The existing ajv@^6.0.0 override in overrides.yaml was scoped [oss] only on the assumption ajv 6.x did not reach root — that assumption is now stale. - Add ajv@^6.0.0: ^6.14.0 to root package.json's pnpm.overrides - Broaden overrides.yaml ajv@^6.0.0 entry to scope: [private, oss] - pnpm install --lockfile-only re-resolves ajv 6.12.6 -> 6.15.0 (satisfies ^6.14.0) GHSA-2g4f-4pwh-qvx6 / CVE-2025-69873 * fix(deps): bump langchain-core and urllib3 (uv.lock) Resolves alerts #21 (langchain-core), #38 #39 (urllib3): - langchain-core 1.3.2 -> 1.4.0 (GHSA-pjwx-r37v-7724, CVE-2026-44843, fix 1.3.3) - urllib3 2.6.3 -> 2.7.0 (GHSA-mf9v-mfxr-j63j / CVE-2026-44432 + GHSA-qccp-gfcp-xxvc / CVE-2026-44431, fix 2.7.0) Applied via 'uv lock --upgrade-package langchain-core --upgrade-package urllib3'. pyproject pins langchain-core>=0.3.0 (minor bump 1.3 -> 1.4 within range); urllib3 is transitive. See 2026-05-12-weekly.md for full context. * chore(maintenance): record phase-5 dismissals (pending-merge) * chore(maintenance): record 15 dismissals pending-merge (undici 5.x transitive) All 15 entries dismiss undici 5.x advisories on the same root cause: transitive devDep via testcontainers@10.28.0. Fix lives in undici v6.x (major bump). testcontainers v10 -> v11 itself is tracked by deferred Dependabot PRs #231 (private) and #129 (oss). Phase 11 will apply these dismissals via gh api PATCH after the consolidated PR merges. Schema: design ~5.3 (two-phase dismissal lifecycle). Reason-code: no_bandwidth (transitive blocked behind major bump). * chore(deps): sync oss/pnpm-lock.yaml * fix(deps): bump hono floor + add ip-address/fast-uri oss overrides Course-correction commit on the 2026-05-12 weekly /maintain sweep. Phase 5 mis-classified several oss-scope alerts as 'already-fixed post-Phase-7' on the assumption that pnpm update --lockfile-only would hoist satisfying transitives. It does not — feedback_phase5_oss_prescreen covers this exact dynamic. Verification after Phase 7 showed hono, ip-address, and fast-uri all stuck at vulnerable versions in oss/pnpm-lock.yaml. Three explicit override changes restore the floors: - hono (oss): ^4.12.14 -> ^4.12.18 — covers GHSA-9vqf-7f2p-gf9v, GHSA-69xw-7hcm-h432 (fixed 4.12.16), GHSA-p77w-8qqv-26rm, GHSA-qp7p-654g-cw7p, GHSA-hm8q-7f3q-5f36 (fixed 4.12.18). Resolves oss alerts #85, 86, 88, 89, 90 and private oss-manifest mirrors #17, 18, 22, 24, 25. - ip-address (oss, new): >=10.1.1 — GHSA-v2v4-37r5-5v8g. Resolves oss #84 and private oss-manifest mirror #15. - fast-uri (oss, new): >=3.1.2 — covers GHSA-q3j6-qgpj-74h6 (fixed 3.1.1) and GHSA-v39h-62p7-jpjc / CVE-2026-22030 (fixed 3.1.2). Resolves oss alerts #87, 91 and private oss-manifest mirrors #19, 20. Verified post-bump resolutions in oss/pnpm-lock.yaml: hono 4.12.18 ip-address 10.2.0 fast-uri 3.1.2 * docs(maintenance): draft 2026-05-12 weekly report * docs(maintenance): refresh commit SHAs after Phase 10 history rewrite
Bumps [testcontainers](https://github.com/testcontainers/testcontainers-node) from 10.28.0 to 11.14.0. - [Release notes](https://github.com/testcontainers/testcontainers-node/releases) - [Commits](testcontainers/testcontainers-node@v10.28.0...v11.14.0) --- updated-dependencies: - dependency-name: testcontainers dependency-version: 11.14.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/testcontainers-11.14.0
branch
from
474e026 to
aeffb2f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps testcontainers from 10.28.0 to 11.14.0.
Release notes
Sourced from testcontainers's releases.
... (truncated)
Commits
afe8b72Document LocalStack authentication requirements (#1295)841179fOnly include TS files in test coverage paths (#1294)4b470b5Add auto cleanup control for containers and compose (#1293)74b2453Add support for running in parallel for distinct UIDs (#1276)a6c5358Bump the dependencies group across 14 directories with 13 updates (#1289)d0a1df4Bump the dependencies group across 1 directory with 21 updates (#1287)e881d49Bump mkdocs-material from 9.7.5 to 9.7.6 in the dependencies group (#1278)9c94bdeBump the dependencies group across 11 directories with 10 updates (#1279)6b78e96Bump the dependencies group with 19 updates (#1280)a20ac80Fix etcd/vaultrepository.urlin package.json (#1273)