build(deps): bump h3 from 2.0.1-rc.11 to 2.0.1-rc.15 in the npm_and_yarn group across 1 directory#1025
Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [h3](https://github.com/h3js/h3). Updates `h3` from 2.0.1-rc.11 to 2.0.1-rc.15 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/main/CHANGELOG.md) - [Commits](h3js/h3@v2.0.1-rc.11...v2.0.1-rc.15) --- updated-dependencies: - dependency-name: h3 dependency-version: 2.0.1-rc.15 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Greptile SummaryThis Dependabot PR bumps
Confidence Score: 3/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: package.json
Line: 51
Comment:
**`bun.lock` not updated — security fixes won't take effect**
The `bun.lock` file still pins `h3` to `2.0.1-rc.11` (see line 29 and 948 in `bun.lock`). Because Bun resolves packages from the lockfile, the actual installed version will remain `rc.11` until a developer runs `bun install` and commits the updated lockfile.
This matters because `rc.15` includes two security fixes:
- SSE injection prevention (`fix(sse): sanitize newlines in event stream fields`)
- Path traversal prevention (`fix(static): prevent path traversal via percent-encoded dot segments`)
Neither of these will be applied in practice until the lockfile is updated. Dependabot does not handle `bun.lock`, so the lockfile needs to be manually updated before merging:
```
bun install
git add bun.lock
git commit -m "chore: update bun.lock for h3 bump to 2.0.1-rc.15"
```
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: "build(deps): bump h3..." |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "convex-helpers": "^0.1.114", | ||
| "fflate": "^0.8.2", | ||
| "h3": "2.0.1-rc.11", | ||
| "h3": "2.0.1-rc.15", |
There was a problem hiding this comment.
bun.lock not updated — security fixes won't take effect
The bun.lock file still pins h3 to 2.0.1-rc.11 (see line 29 and 948 in bun.lock). Because Bun resolves packages from the lockfile, the actual installed version will remain rc.11 until a developer runs bun install and commits the updated lockfile.
This matters because rc.15 includes two security fixes:
- SSE injection prevention (
fix(sse): sanitize newlines in event stream fields) - Path traversal prevention (
fix(static): prevent path traversal via percent-encoded dot segments)
Neither of these will be applied in practice until the lockfile is updated. Dependabot does not handle bun.lock, so the lockfile needs to be manually updated before merging:
bun install
git add bun.lock
git commit -m "chore: update bun.lock for h3 bump to 2.0.1-rc.15"
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 51
Comment:
**`bun.lock` not updated — security fixes won't take effect**
The `bun.lock` file still pins `h3` to `2.0.1-rc.11` (see line 29 and 948 in `bun.lock`). Because Bun resolves packages from the lockfile, the actual installed version will remain `rc.11` until a developer runs `bun install` and commits the updated lockfile.
This matters because `rc.15` includes two security fixes:
- SSE injection prevention (`fix(sse): sanitize newlines in event stream fields`)
- Path traversal prevention (`fix(static): prevent path traversal via percent-encoded dot segments`)
Neither of these will be applied in practice until the lockfile is updated. Dependabot does not handle `bun.lock`, so the lockfile needs to be manually updated before merging:
```
bun install
git add bun.lock
git commit -m "chore: update bun.lock for h3 bump to 2.0.1-rc.15"
```
How can I resolve this? If you propose a fix, please make it concise.![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bff2a29f11
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "convex-helpers": "^0.1.114", | ||
| "fflate": "^0.8.2", | ||
| "h3": "2.0.1-rc.11", | ||
| "h3": "2.0.1-rc.15", |
There was a problem hiding this comment.
This changes package.json to h3@2.0.1-rc.15, but the committed bun.lock still pins the top-level dependency to 2.0.1-rc.11 (bun.lock:29, bun.lock:948-950). That mismatch is release-blocking here because our checked-in workflows install with bun install --frozen-lockfile (.github/workflows/ci.yml:20-21 and .github/workflows/deploy.yml:61-62/93-94/122-123), and Bun documents --frozen-lockfile as “Disallow changes to lockfile.” In CI/deploy, the install step will therefore fail until the lockfile is regenerated and committed alongside this version bump.
Useful? React with 👍 / 👎.
|
Looks like h3 is no longer updatable, so this is no longer needed. |
dependabot
bot
deleted the
dependabot/npm_and_yarn/npm_and_yarn-47778aff70
branch
Bumps the npm_and_yarn group with 1 update in the / directory: h3.
Updates
h3from 2.0.1-rc.11 to 2.0.1-rc.15Release notes
Sourced from h3's releases.
... (truncated)
Changelog
Sourced from h3's changelog.
... (truncated)
Commits
9136183chore(release): v2.0.1-rc.156da10a9chore: update deps0e751b4fix(static): prevent path traversal via percent-encoded dot segments7791538fix(sse): sanitize newlines in event stream fields to prevent SSE injection1689ee3docs: addunjwtcommunity library entry (#1309)45de3dcbuild: bundle docs as skill +h3 docs(#1311)52c82e1chore: add agents.md8d0dda8chore: rename format script to fmt0575cb8feat(handler): newdefineJsonRpcHandleranddefineJsonRpcWebSocketHandler...c037c0dchore: update depsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.