Open
Conversation
Bumps [tar](https://github.com/isaacs/node-tar) to 7.5.11 and updates ancestor dependencies [tar](https://github.com/isaacs/node-tar), [@vercel/nft](https://github.com/vercel/nft) and [serverless](https://github.com/serverless/serverless). These dependencies need to be updated together. Updates `tar` from 4.4.19 to 7.5.11 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v4.4.19...v7.5.11) Updates `@vercel/nft` from 0.18.2 to 1.3.2 - [Release notes](https://github.com/vercel/nft/releases) - [Commits](vercel/nft@0.18.2...1.3.2) Updates `serverless` from 3.14.0 to 4.33.0 - [Release notes](https://github.com/serverless/serverless/releases) - [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md) - [Commits](https://github.com/serverless/serverless/compare/v3.14.0...sf-core@4.33.0) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.11 dependency-type: indirect - dependency-name: "@vercel/nft" dependency-version: 1.3.2 dependency-type: direct:production - dependency-name: serverless dependency-version: 4.33.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
📝 WalkthroughWalkthroughThis pull request updates two dependency versions in package.json: Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~4 minutes Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 61: Update the repo's Node engine floor and TypeScript preset to match
bumped deps: change the "engines.node" value in package.json from ">=14.0.0" to
">=20.0.0" (or ">=20" per project style) so installs/CI cannot run on older Node
versions, and update tsconfig.json's "extends" from
"@tsconfig/node14/tsconfig.json" to a Node 20-compatible preset (e.g.,
"@tsconfig/node20/tsconfig.json" or an equivalent) so the TypeScript config
aligns with Node 20.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0984ab57-8ce8-47fa-8e8a-977b1764c7ce
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
package.json
| "lint-staged": "^12.3.8", | ||
| "prettier": "^2.6.2", | ||
| "serverless": "3.14.0", | ||
| "serverless": "4.33.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Local package metadata =="
jq '{engines, dependencies: { "@vercel/nft": .dependencies["@vercel/nft"] }, devDependencies: { "serverless": .devDependencies.serverless }}' package.json
echo
echo "== Repo references to older Node targets =="
rg -n --glob '!node_modules/**' '@tsconfig/node14|node14|\"node\"\\s*:' .
echo
echo "== Published metadata for bumped packages =="
python - <<'PY'
import json, urllib.parse, urllib.request
for name, version in [("@vercel/nft", "1.3.2"), ("serverless", "4.33.0")]:
url = f"https://registry.npmjs.org/{urllib.parse.quote(name, safe='')}/{version}"
with urllib.request.urlopen(url) as r:
data = json.load(r)
print(f"{name}@{version}")
print(" engines:", data.get("engines"))
print(" postinstall:", data.get("scripts", {}).get("postinstall"))
PYRepository: neofinancial/serverless-plugin-neo
Length of output: 449
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Repo references to Node 14/16 targets =="
rg -n --glob '!node_modules/**' '(`@tsconfig/node14`|node14|engines)' . 2>/dev/null || echo "No matches found"
echo
echo "== Published metadata for bumped packages =="
python3 - <<'PY'
import json
import urllib.parse
import urllib.request
for name, version in [("@vercel/nft", "1.3.2"), ("serverless", "4.33.0")]:
try:
url = f"https://registry.npmjs.org/{urllib.parse.quote(name, safe='')}/{version}"
with urllib.request.urlopen(url, timeout=10) as r:
data = json.load(r)
print(f"\n{name}@{version}")
if "engines" in data:
print(f" engines: {data['engines']}")
else:
print(f" engines: not specified")
except Exception as e:
print(f"\nError fetching {name}@{version}: {e}")
PYRepository: neofinancial/serverless-plugin-neo
Length of output: 22084
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Fetch npm package metadata via curl (insecure) =="
for name in "@vercel/nft" "serverless"; do
case "$name" in
"@vercel/nft")
version="1.3.2"
encoded_name="@vercel%2Fnft"
;;
"serverless")
version="4.33.0"
encoded_name="serverless"
;;
esac
echo ""
echo "=== $name@$version ==="
curl -s -k "https://registry.npmjs.org/${encoded_name}/${version}" | python3 -m json.tool 2>/dev/null | grep -A 10 '"engines"' || echo " engines: not found"
doneRepository: neofinancial/serverless-plugin-neo
Length of output: 961
Raise the repo's Node floor to >=20 to match the bumped dependencies.
Both @vercel/nft@1.3.2 (dependencies) and serverless@4.33.0 (devDependencies) require higher Node versions than this repo declares: @vercel/nft requires >=20, while serverless requires >=18.0.0. The repo currently advertises >=14.0.0, which is inconsistent and will allow installs/CI on incompatible Node versions. Update package.json:11 to at least >=20.0.0, and consider updating tsconfig.json:2 from @tsconfig/node14 to a Node 20-compatible preset.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@package.json` at line 61, Update the repo's Node engine floor and TypeScript
preset to match bumped deps: change the "engines.node" value in package.json
from ">=14.0.0" to ">=20.0.0" (or ">=20" per project style) so installs/CI
cannot run on older Node versions, and update tsconfig.json's "extends" from
"@tsconfig/node14/tsconfig.json" to a Node 20-compatible preset (e.g.,
"@tsconfig/node20/tsconfig.json" or an equivalent) so the TypeScript config
aligns with Node 20.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps tar to 7.5.11 and updates ancestor dependencies tar, @vercel/nft and serverless. These dependencies need to be updated together.
Updates
tarfrom 4.4.19 to 7.5.11Release notes
Sourced from tar's releases.
Changelog
Sourced from tar's changelog.
... (truncated)
Commits
bf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security info2b72abc7.5.107bc755dparse root off paths before sanitizing .. partsc8cb846update deps1f0c2c97.5.9fbb0851build minified version as default export6b8eba07.5.82cb1120fix(unpack): improve UnpackSync symlink error "into" path accuracyMaintainer changes
This version was pushed to npm by isaacs, a new releaser for tar since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Updates
@vercel/nftfrom 0.18.2 to 1.3.2Release notes
Sourced from
@vercel/nft's releases.... (truncated)
Commits
0ce8e2cfix: do not follow absolute paths outside job base (#568)8f6a609fix: Resolve symlinks relative to real file location (#564)34f1ec7feat: add depth option (#561)67038d5feat: supportmodule.createRequirewhenmixedModules: false(#558)1e455b0fix: evaluate nested export conditions when resolving a module-sync fallback ...684032bfeat: Ensure module-sync conditions also trace cjs fallback (#550)b327dbachore: bump npm@11.6.3 (#555)6fb8680feat: bump glob@13 and set engines node@20 (#554)4e0a9a2fix: Bump glob from 10.4.5 to 10.5.0 (#551)b2ac206chore: Bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 ...Maintainer changes
This version was pushed to npm by vercel-release-bot, a new releaser for
@vercel/nftsince your current version.Updates
serverlessfrom 3.14.0 to 4.33.0Release notes
Sourced from serverless's releases.
... (truncated)
Commits
406252echore: release 4.33.0 (#13364)f308babfix(tests): update path handling and Python binary detection for Windows comp...5bffeeedocs(agents): add configuration guide to menu and fix comment formatting (#13...83677fdfeat: add Bedrock AgentCore integration for AI agents (#13353)1e5fd26chore(deps): update minimatch in prod deps (#13363)e4c2b47chore(deps): bump the aws-sdk group with 30 updates (#13357)1f0abd8feat(dev-mode): match shim runtime to local Node.js version (#13362)d0d9ee3chore(deps): bump is-wsl from 3.1.0 to 3.1.1 in the patch-updates group (#13358)34ab370chore(deps): bump@slack/web-apifrom 7.13.0 to 7.14.0 (#13359)4e5460fchore(deps): bump golang.org/x/mod in /binary-installer (#13356)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serverless since your current version.
Install script changes
This version modifies
postinstallscript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by CodeRabbit