Skip to content

Production Release 2026-03-04#1635

Merged
tackley merged 9 commits intoprodfrom
master
Mar 4, 2026
Merged

Production Release 2026-03-04#1635
tackley merged 9 commits intoprodfrom
master

Conversation

@tackley
Copy link
Collaborator

@tackley tackley commented Mar 3, 2026
edited by github-actions bot
Loading

tackley and others added 7 commits January 22, 2026 13:00
@tackley
chore(audit): upgrade lodash (#1627)
417fd09 
Resolves GHSA-xxjr-mmjv-4gpg

Note dependabot had a go at fixing this in
#1626 but didn't correctly add the
overrides so didn't cover all cases.

This PR is a result of running `pnpm audit --fix`.
@tackley
fix(audit): update lodash (2) (#1628)
955a1e8 
Apparently dependabot doesn't understand overrides properly. So update
the direct inclusion too. If you look at the lockfile diff, this makes
no difference to the included versions (which were already updated), but
it should convince dependabot that we're not using the vulnerable
version.
@tackley
chore(renovate): adjust schedule (#1629)
7cab272 
Since we usually review these PRs on the day they are raised, reduce
noise both on the commit and PR history by only doing this on Mondays &
Thursdays.
@tackley
chore(audit): minimatch & ajv (#1630)
1d54174 
Two build-time only ReDoS fixes:

1. upgrade minimatch to address
ttps://github.com/advisories/GHSA-3ppc-4f35-3m26

2. upgrade ajv where we can to address
GHSA-2g4f-4pwh-qvx6, but ignore the ghsa
until backfix to v6 is published. eslint requires v6.
@tackley
fix(audit): upgrade rollup, ajv (#1631)
0b44d8b 
to address:
- GHSA-mw96-cpmx-2vgc
- GHSA-2g4f-4pwh-qvx6
@tackley
chore(audit): upgrade minimatch (#1632)
c3670ef 
To address (both build-time only ReDoS):
- GHSA-7r86-cg39-jmmj
- GHSA-23c5-xmqv-rm74
@renovate
chore(config): migrate Renovate config (#1633)
17e68a3 
The Renovate config in this repository needs migrating. Typically this
is because one or more configuration options you are using have been
renamed.

You don't need to merge this PR right away, because Renovate will
continue to migrate these fields internally each time it runs. But later
some of these fields may be fully deprecated and the migrations removed.
So it's a good idea to merge this migration PR soon.





🔕 **Ignore**: Close this PR and you won't be reminded about config
migration again, but one day your current config may no longer be valid.

❓ Got questions? Does something look wrong to you? Please don't hesitate
to [request help
here](https://redirect.github.com/renovatebot/renovate/discussions).


---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/brave/ads-ui).

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@tackley tackley requested review from a team and CodePeters as code owners March 3, 2026 17:23
@github-actions github-actions bot changed the title next prod release Production Release 2026-03-03 Mar 3, 2026
@github-actions github-actions bot changed the title Production Release 2026-03-03 Production Release 2026-03-04 Mar 4, 2026
@tackley
chore: automatically organise imports (#1634)
3984644 
This PR introduces
https://github.com/simonhaenisch/prettier-plugin-organize-imports and
hooks that up to prettier. This automatically applies typescript's
built-in organise imports function to each file.

This will reduce needless diff noise from import changes. Most of this
PR is that re-organisation applied to existing files, by running pnpm
format.
@github-actions
Copy link

github-actions bot commented Mar 4, 2026
edited
Loading

📋 Code Owners Summary

185 file(s) changed, 185 with assigned owners

1 team(s) affected: @brave/ads-dev
2 individual(s) affected: @CodePeters, @tackley

Owners and Their Files

@brave/ads-dev — 183 file(s)

... and 178 more files

@tackley — 2 file(s)

@CodePeters — 2 file(s)

@github-actions
Copy link

github-actions bot commented Mar 4, 2026

[puLL-Merge] - brave/ads-ui@1635

Description

This PR performs a comprehensive maintenance update including: security-related dependency upgrades (lodash, ajv, rollup, minimatch), addition of prettier-plugin-organize-imports to auto-sort imports, Renovate configuration adjustments (updated preset name and narrowed schedule to Monday/Thursday), and a @types/node major version bump from v20 to v25. The bulk of the diff consists of import statement reordering across nearly every source file, which is the effect of the new prettier plugin.

Possible Issues

  • @types/node major version bump (20 → 25): This is a significant jump that could introduce type incompatibilities if any code relies on Node.js type definitions that changed between these versions. It's listed as a devDependency so runtime risk is low, but it could cause compilation issues for contributors on older Node versions.
  • lodash 4.17.23: This version does not appear in the official lodash npm registry (which shows 4.17.21 as latest). If this is a fork or override artifact, it could cause confusion or issues during pnpm install. The pnpm.overrides forcing lodash@>=4.0.0 <=4.17.22 to >=4.17.23 suggests this is specifically to address a security advisory, but should be verified.

Security Hotspots

  1. lodash and lodash-es override to 4.17.23: The overrides force all lodash versions in the dependency tree to ≥4.17.23. Verify that version 4.17.23 actually exists on npm and addresses the intended CVE. If the version doesn't resolve correctly, the vulnerable version could still be installed.
  2. ajv override splitting (^6^6.14.0, ^8 <8.18.0>=8.18.0): The ajv v6 override pins to ^6.14.0 — verify this version exists and resolves the prototype pollution vulnerability (CVE-2020-15366 was fixed in 6.12.3, but there may be newer advisories).
  3. pnpm.auditConfig.ignoreGhsas: []: Currently empty, which is fine. This is a good pattern but worth noting it exists for future reviews — any additions here should be scrutinized.
Changes

Changes

  • .github/renovate.json: Updated npm:unpublishSafe preset to security:minimumReleaseAgeNpm; narrowed update schedule to Monday and Thursday only.
  • .prettierrc.json: Added prettier-plugin-organize-imports plugin.
  • eslint.config.js: Import order reorganized by the new prettier plugin.
  • package.json: Bumped lodash to 4.17.23, added prettier-plugin-organize-imports dev dependency, added multiple pnpm.overrides for security (lodash, lodash-es, ajv, rollup, minimatch), added empty auditConfig.ignoreGhsas.
  • pnpm-lock.yaml: Reflects all dependency changes including @types/node 20→25, rollup 4.52→4.59, minimatch 3.1.2→3.1.5 and 9.0.5→9.0.9, ajv 6.12.6→6.14.0, and undici-types 5→7.
  • src/** (all source files): Import statements reorganized alphabetically by the organize-imports plugin. No logic changes.
  • vite.config.mts: Import order reorganized.
sequenceDiagram
    participant Dev as Developer
    participant Prettier as Prettier + organize-imports
    participant Renovate as Renovate Bot
    participant PNPM as pnpm

    Dev->>PNPM: pnpm install (with updated overrides)
    PNPM->>PNPM: Resolve lodash@4.17.23, ajv@6.14.0, rollup@4.59.0
    PNPM->>PNPM: Apply pnpm.overrides for transitive deps
    Dev->>Prettier: Format all files
    Prettier->>Prettier: Sort imports alphabetically via plugin
    Prettier-->>Dev: Reformatted source files
    Renovate->>Renovate: Use security:minimumReleaseAgeNpm preset
    Renovate->>Renovate: Schedule updates Mon/Thu 0-8am only
Loading

@tackley
feat: tidy up registration pages (#1636)
bd327e8 
To make clearer the different routes in for search and push.

<img width="1849" height="1067" alt="Screenshot 2026-03-03 at 17 45 15"
src="https://github.com/user-attachments/assets/bf8ecaf7-927b-48f4-aed3-f9854d78aec3"
/>
<img width="1849" height="1067" alt="Screenshot 2026-03-03 at 17 45 07"
src="https://github.com/user-attachments/assets/59019298-8855-4448-ba5c-494e9e50e1f0"
/>
@tackley tackley added this pull request to the merge queue Mar 4, 2026
Merged via the queue into prod with commit 41a5911 Mar 4, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CodePeters CodePeters CodePeters approved these changes

Assignees

No one assigned

Labels

puLL-Merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tackley @CodePeters