Skip to content

chore: bump the medusa-example group in /examples/docker/medusa with 4 updates#14

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/docker/medusa/medusa-example-bc347092ca
Open

chore: bump the medusa-example group in /examples/docker/medusa with 4 updates#14
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/docker/medusa/medusa-example-bc347092ca

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the medusa-example group in /examples/docker/medusa with 4 updates: @medusajs/admin-sdk, @medusajs/cli, @medusajs/framework and @medusajs/medusa.

Updates @medusajs/admin-sdk from 2.15.5 to 2.16.0

Release notes

Sourced from @​medusajs/admin-sdk's releases.

v2.16.0

Highlights

This release comes with many improvements and bug fixes. We highly recommend updating to leverage these changes in your application.

For the Medusa MCP users, you can ask your AI agent to update your project with the following prompt:

update my Medusa project to v2.16.0

It will fetch the necessary changes needed to update your project.

<role>
You are a Medusa upgrade specialist. You work inside a user's Medusa application — a Medusa backend project and, when present, its companion storefront. You know Medusa's conventions for project config, auth/email verification, the JS SDK (`@medusajs/js-sdk`), MikroORM data access, and ESLint tooling. You make no change the user has not approved.
</role>

<task> Investigate this project and produce a migration plan to upgrade it from its current Medusa version to v2.16.0, then present the plan for the user's approval before making any edits. </task>

<context> v2.16.0 is a minor release with several breaking changes that require code or config updates. This prompt covers only the required upgrade steps and breaking changes — additive features in this release (tax line context hook, multi-shipping-method carts, new/custom admin injection zones) are intentionally out of scope; do not implement them.

The breaking changes in scope:

  1. Package version bump to v2.16.0 for all @medusajs/* packages.
  2. MikroORM bumped to 6.6.14 (security fix for CVE-2026-44680). manager.find now throws on relations that don't exist on an entity instead of silently ignoring them.
  3. react-router-dom bumped to 6.30.4 (defensive security update). Admin customizations may break if not updated.
  4. ESLint plugin (@medusajs/eslint-plugin). New projects ship with it; existing projects should add it. Once configured, medusa build and medusa develop run linting by default.
  5. Email verification config change: the emailpass provider's require_verification boolean option is removed, replaced by http.authVerificationsPerActor.
  6. Email verification flow change (storefront): verification is now triggered at login, not registration, and uses new actor-agnostic routes.
  7. Verification routes changed: /auth/[actor]/[provider]/verification/request and /auth/[actor]/[provider]/verification/confirm are removed, replaced by /auth/verification/request and /auth/verification/confirm.
  8. JS SDK email-verification signature changes for auth.register, auth.login, auth.verification.request, and auth.verification.confirm.
  9. Default JWT and cookie secrets removed: the supersecret fallback is gone. In production, the app throws and fails to start if http.jwtSecret / http.cookieSecret are not set.

For anything not covered here, consult the official Medusa documentation at https://docs.medusajs.com or the Medusa MCP server before acting. Do not guess at APIs, config keys, or route shapes — verify them. </context>

<inputs> You are given access to the project's working directory. You must discover the following yourself; do not assume:

  • Project shape: standalone Medusa project vs. monorepo (e.g. apps/backend + workspaces). Check for a root package.json with workspaces and an apps/ directory.
  • Storefront presence: a separate storefront app/repo or directory that uses @medusajs/js-sdk. If no storefront is in this workspace, treat storefront steps as guidance to surface to the user, not edits you can make.
  • Current Medusa version: read from package.json dependencies.
  • Whether the project uses email verification: search for require_verification, authVerificationsPerActor, /auth/*/verification/, sdk.auth.verification, or verification_required.
  • Whether secrets are configured: inspect medusa-config.ts/.js for http.jwtSecret / http.cookieSecret and the environment for JWT_SECRET / COOKIE_SECRET. </tr></table>

... (truncated)

Changelog

Sourced from @​medusajs/admin-sdk's changelog.

2.16.0

Patch Changes

Commits

Updates @medusajs/cli from 2.15.5 to 2.16.0

Release notes

Sourced from @​medusajs/cli's releases.

v2.16.0

Highlights

This release comes with many improvements and bug fixes. We highly recommend updating to leverage these changes in your application.

For the Medusa MCP users, you can ask your AI agent to update your project with the following prompt:

update my Medusa project to v2.16.0

It will fetch the necessary changes needed to update your project.

<role>
You are a Medusa upgrade specialist. You work inside a user's Medusa application — a Medusa backend project and, when present, its companion storefront. You know Medusa's conventions for project config, auth/email verification, the JS SDK (`@medusajs/js-sdk`), MikroORM data access, and ESLint tooling. You make no change the user has not approved.
</role>

<task> Investigate this project and produce a migration plan to upgrade it from its current Medusa version to v2.16.0, then present the plan for the user's approval before making any edits. </task>

<context> v2.16.0 is a minor release with several breaking changes that require code or config updates. This prompt covers only the required upgrade steps and breaking changes — additive features in this release (tax line context hook, multi-shipping-method carts, new/custom admin injection zones) are intentionally out of scope; do not implement them.

The breaking changes in scope:

  1. Package version bump to v2.16.0 for all @medusajs/* packages.
  2. MikroORM bumped to 6.6.14 (security fix for CVE-2026-44680). manager.find now throws on relations that don't exist on an entity instead of silently ignoring them.
  3. react-router-dom bumped to 6.30.4 (defensive security update). Admin customizations may break if not updated.
  4. ESLint plugin (@medusajs/eslint-plugin). New projects ship with it; existing projects should add it. Once configured, medusa build and medusa develop run linting by default.
  5. Email verification config change: the emailpass provider's require_verification boolean option is removed, replaced by http.authVerificationsPerActor.
  6. Email verification flow change (storefront): verification is now triggered at login, not registration, and uses new actor-agnostic routes.
  7. Verification routes changed: /auth/[actor]/[provider]/verification/request and /auth/[actor]/[provider]/verification/confirm are removed, replaced by /auth/verification/request and /auth/verification/confirm.
  8. JS SDK email-verification signature changes for auth.register, auth.login, auth.verification.request, and auth.verification.confirm.
  9. Default JWT and cookie secrets removed: the supersecret fallback is gone. In production, the app throws and fails to start if http.jwtSecret / http.cookieSecret are not set.

For anything not covered here, consult the official Medusa documentation at https://docs.medusajs.com or the Medusa MCP server before acting. Do not guess at APIs, config keys, or route shapes — verify them. </context>

<inputs> You are given access to the project's working directory. You must discover the following yourself; do not assume:

  • Project shape: standalone Medusa project vs. monorepo (e.g. apps/backend + workspaces). Check for a root package.json with workspaces and an apps/ directory.
  • Storefront presence: a separate storefront app/repo or directory that uses @medusajs/js-sdk. If no storefront is in this workspace, treat storefront steps as guidance to surface to the user, not edits you can make.
  • Current Medusa version: read from package.json dependencies.
  • Whether the project uses email verification: search for require_verification, authVerificationsPerActor, /auth/*/verification/, sdk.auth.verification, or verification_required.
  • Whether secrets are configured: inspect medusa-config.ts/.js for http.jwtSecret / http.cookieSecret and the environment for JWT_SECRET / COOKIE_SECRET. </tr></table>

... (truncated)

Changelog

Sourced from @​medusajs/cli's changelog.

2.16.0

Patch Changes

Commits

Updates @medusajs/framework from 2.15.5 to 2.16.0

Release notes

Sourced from @​medusajs/framework's releases.

v2.16.0

Highlights

This release comes with many improvements and bug fixes. We highly recommend updating to leverage these changes in your application.

For the Medusa MCP users, you can ask your AI agent to update your project with the following prompt:

update my Medusa project to v2.16.0

It will fetch the necessary changes needed to update your project.

<role>
You are a Medusa upgrade specialist. You work inside a user's Medusa application — a Medusa backend project and, when present, its companion storefront. You know Medusa's conventions for project config, auth/email verification, the JS SDK (`@medusajs/js-sdk`), MikroORM data access, and ESLint tooling. You make no change the user has not approved.
</role>

<task> Investigate this project and produce a migration plan to upgrade it from its current Medusa version to v2.16.0, then present the plan for the user's approval before making any edits. </task>

<context> v2.16.0 is a minor release with several breaking changes that require code or config updates. This prompt covers only the required upgrade steps and breaking changes — additive features in this release (tax line context hook, multi-shipping-method carts, new/custom admin injection zones) are intentionally out of scope; do not implement them.

The breaking changes in scope:

  1. Package version bump to v2.16.0 for all @medusajs/* packages.
  2. MikroORM bumped to 6.6.14 (security fix for CVE-2026-44680). manager.find now throws on relations that don't exist on an entity instead of silently ignoring them.
  3. react-router-dom bumped to 6.30.4 (defensive security update). Admin customizations may break if not updated.
  4. ESLint plugin (@medusajs/eslint-plugin). New projects ship with it; existing projects should add it. Once configured, medusa build and medusa develop run linting by default.
  5. Email verification config change: the emailpass provider's require_verification boolean option is removed, replaced by http.authVerificationsPerActor.
  6. Email verification flow change (storefront): verification is now triggered at login, not registration, and uses new actor-agnostic routes.
  7. Verification routes changed: /auth/[actor]/[provider]/verification/request and /auth/[actor]/[provider]/verification/confirm are removed, replaced by /auth/verification/request and /auth/verification/confirm.
  8. JS SDK email-verification signature changes for auth.register, auth.login, auth.verification.request, and auth.verification.confirm.
  9. Default JWT and cookie secrets removed: the supersecret fallback is gone. In production, the app throws and fails to start if http.jwtSecret / http.cookieSecret are not set.

For anything not covered here, consult the official Medusa documentation at https://docs.medusajs.com or the Medusa MCP server before acting. Do not guess at APIs, config keys, or route shapes — verify them. </context>

<inputs> You are given access to the project's working directory. You must discover the following yourself; do not assume:

  • Project shape: standalone Medusa project vs. monorepo (e.g. apps/backend + workspaces). Check for a root package.json with workspaces and an apps/ directory.
  • Storefront presence: a separate storefront app/repo or directory that uses @medusajs/js-sdk. If no storefront is in this workspace, treat storefront steps as guidance to surface to the user, not edits you can make.
  • Current Medusa version: read from package.json dependencies.
  • Whether the project uses email verification: search for require_verification, authVerificationsPerActor, /auth/*/verification/, sdk.auth.verification, or verification_required.
  • Whether secrets are configured: inspect medusa-config.ts/.js for http.jwtSecret / http.cookieSecret and the environment for JWT_SECRET / COOKIE_SECRET. </tr></table>

... (truncated)

Changelog

Sourced from @​medusajs/framework's changelog.

2.16.0

Patch Changes

Commits
  • a46961e fix(core-flows, auth, types, medusa): bind password reset tokens to a single-...
  • 20352f4 fix(framework): change for session cookies (#15601)
  • 8a6664d chore(framework, utils, medusa): centralize NODE_ENV production check and tig...
  • See full diff in compare view

Updates @medusajs/medusa from 2.15.5 to 2.16.0

Release notes

Sourced from @​medusajs/medusa's releases.

v2.16.0

Highlights

This release comes with many improvements and bug fixes. We highly recommend updating to leverage these changes in your application.

For the Medusa MCP users, you can ask your AI agent to update your project with the following prompt:

update my Medusa project to v2.16.0

It will fetch the necessary changes needed to update your project.

<role>
You are a Medusa upgrade specialist. You work inside a user's Medusa application — a Medusa backend project and, when present, its companion storefront. You know Medusa's conventions for project config, auth/email verification, the JS SDK (`@medusajs/js-sdk`), MikroORM data access, and ESLint tooling. You make no change the user has not approved.
</role>

<task> Investigate this project and produce a migration plan to upgrade it from its current Medusa version to v2.16.0, then present the plan for the user's approval before making any edits. </task>

<context> v2.16.0 is a minor release with several breaking changes that require code or config updates. This prompt covers only the required upgrade steps and breaking changes — additive features in this release (tax line context hook, multi-shipping-method carts, new/custom admin injection zones) are intentionally out of scope; do not implement them.

The breaking changes in scope:

  1. Package version bump to v2.16.0 for all @medusajs/* packages.
  2. MikroORM bumped to 6.6.14 (security fix for CVE-2026-44680). manager.find now throws on relations that don't exist on an entity instead of silently ignoring them.
  3. react-router-dom bumped to 6.30.4 (defensive security update). Admin customizations may break if not updated.
  4. ESLint plugin (@medusajs/eslint-plugin). New projects ship with it; existing projects should add it. Once configured, medusa build and medusa develop run linting by default.
  5. Email verification config change: the emailpass provider's require_verification boolean option is removed, replaced by http.authVerificationsPerActor.
  6. Email verification flow change (storefront): verification is now triggered at login, not registration, and uses new actor-agnostic routes.
  7. Verification routes changed: /auth/[actor]/[provider]/verification/request and /auth/[actor]/[provider]/verification/confirm are removed, replaced by /auth/verification/request and /auth/verification/confirm.
  8. JS SDK email-verification signature changes for auth.register, auth.login, auth.verification.request, and auth.verification.confirm.
  9. Default JWT and cookie secrets removed: the supersecret fallback is gone. In production, the app throws and fails to start if http.jwtSecret / http.cookieSecret are not set.

For anything not covered here, consult the official Medusa documentation at https://docs.medusajs.com or the Medusa MCP server before acting. Do not guess at APIs, config keys, or route shapes — verify them. </context>

<inputs> You are given access to the project's working directory. You must discover the following yourself; do not assume:

  • Project shape: standalone Medusa project vs. monorepo (e.g. apps/backend + workspaces). Check for a root package.json with workspaces and an apps/ directory.
  • Storefront presence: a separate storefront app/repo or directory that uses @medusajs/js-sdk. If no storefront is in this workspace, treat storefront steps as guidance to surface to the user, not edits you can make.
  • Current Medusa version: read from package.json dependencies.
  • Whether the project uses email verification: search for require_verification, authVerificationsPerActor, /auth/*/verification/, sdk.auth.verification, or verification_required.
  • Whether secrets are configured: inspect medusa-config.ts/.js for http.jwtSecret / http.cookieSecret and the environment for JWT_SECRET / COOKIE_SECRET. </tr></table>

... (truncated)

Changelog

Sourced from @​medusajs/medusa's changelog.

2.16.0

Minor Changes

Patch Changes

... (truncated)

Commits
  • 5cd86b7 fix(medusa): allow updating buyget promotions via PATCH /admin/promotions/:id...
  • beb1b5e feat(medusa,utils): plugin type augmentations (#15595)
  • f58de02 fix(medusa): type product category create response (#15588)
  • 1344c10 feat(medusa,core-flows,js-sdk,types): allow provider_id when marking a paymen...
  • 68f7a0e fix(plugin:develop): invoke yalc via process.execPath on Windows (#15523)
  • 8a27881 fix(medusa): clear session cookie on DELETE /auth/session (#15510)
  • 7cea59f fix(medusa): include address_name in customer address defaults (#15511)
  • 740132b chore(create-medusa-app, telemetry, dashboard, medusa): update react-router-d...
  • 06b0534 feat(dashboard,admin-shared,core-flows,js-sdk,types,medusa,link-modules): RBA...
  • a46961e fix(core-flows, auth, types, medusa): bind password reset tokens to a single-...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the medusa-example group in /examples/docker/medusa with 4 updates: [@medusajs/admin-sdk](https://github.com/medusajs/medusa/tree/HEAD/packages/admin/admin-sdk), [@medusajs/cli](https://github.com/medusajs/medusa/tree/HEAD/packages/cli/medusa-cli), [@medusajs/framework](https://github.com/medusajs/medusa/tree/HEAD/packages/core/framework) and [@medusajs/medusa](https://github.com/medusajs/medusa/tree/HEAD/packages/medusa).


Updates `@medusajs/admin-sdk` from 2.15.5 to 2.16.0
- [Release notes](https://github.com/medusajs/medusa/releases)
- [Changelog](https://github.com/medusajs/medusa/blob/develop/packages/admin/admin-sdk/CHANGELOG.md)
- [Commits](https://github.com/medusajs/medusa/commits/v2.16.0/packages/admin/admin-sdk)

Updates `@medusajs/cli` from 2.15.5 to 2.16.0
- [Release notes](https://github.com/medusajs/medusa/releases)
- [Changelog](https://github.com/medusajs/medusa/blob/develop/packages/cli/medusa-cli/CHANGELOG.md)
- [Commits](https://github.com/medusajs/medusa/commits/v2.16.0/packages/cli/medusa-cli)

Updates `@medusajs/framework` from 2.15.5 to 2.16.0
- [Release notes](https://github.com/medusajs/medusa/releases)
- [Changelog](https://github.com/medusajs/medusa/blob/develop/packages/core/framework/CHANGELOG.md)
- [Commits](https://github.com/medusajs/medusa/commits/v2.16.0/packages/core/framework)

Updates `@medusajs/medusa` from 2.15.5 to 2.16.0
- [Release notes](https://github.com/medusajs/medusa/releases)
- [Changelog](https://github.com/medusajs/medusa/blob/develop/packages/medusa/CHANGELOG.md)
- [Commits](https://github.com/medusajs/medusa/commits/v2.16.0/packages/medusa)

---
updated-dependencies:
- dependency-name: "@medusajs/admin-sdk"
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: medusa-example
- dependency-name: "@medusajs/cli"
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: medusa-example
- dependency-name: "@medusajs/framework"
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: medusa-example
- dependency-name: "@medusajs/medusa"
  dependency-version: 2.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: medusa-example
...

Signed-off-by: dependabot[bot] <support@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants