chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#145
chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#145dependabot[bot] wants to merge 1 commit into
Conversation
…dates Bumps the npm_and_yarn group with 2 updates in the / directory: [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js) and [esbuild](https://github.com/evanw/esbuild). Updates `@opentelemetry/core` from 2.7.1 to 2.8.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-js@v2.7.1...v2.8.0) Updates `esbuild` from 0.27.7 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.7...v0.28.1) --- updated-dependencies: - dependency-name: "@opentelemetry/core" dependency-version: 2.8.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Dependabot PR ReviewSummary: Minor version bumps — no breaking changes noted.
🔒 Security Advisories in esbuild 0.28.1This update patches two security vulnerabilities — upgrading is recommended:
Both are dev-time issues (local dev server / install script), not production runtime vulnerabilities, but upgrading is still the right call. CI StatusCI checks are still in progress. Will approve and enable auto-merge once all checks pass. Generated by Claude Code |
📸 Visual snapshotsScreenshots captured for this PR — view all artifacts.
|
FrancesCoronel
left a comment
There was a problem hiding this comment.
Minor version bumps (@opentelemetry/core 2.7.1→2.8.0, esbuild 0.27.7→0.28.1), no breaking changes noted. Core CI is green: Lint, Type check, Playwright, and Lighthouse all passed. Security audit and Claude Code Review failures are pre-existing/unrelated to this bump — Security audit is failing on already-known transitive vulnerabilities (gray-matter/js-yaml, markdown-it, postcss via next) present on main regardless of this PR, and Claude Code Review fails because dependabot-triggered workflows aren't in the allowed_bots list (a CI config gap, not a code issue). Approving and enabling auto-merge.
Generated by Claude Code
Dependabot PR Review — updateCI is still failing on this PR, but not because of the dependency bump itself:
Per policy I'm holding off on approve/auto-merge while CI shows red, but this specific PR's diff looks safe (both are minor bumps, and esbuild 0.28.1 actually fixes two low-impact esbuild security advisories — see prior comment). Two things worth addressing independently of this PR:
Generated by Claude Code |
Follow-upThis PR ( Not auto-approving/merging — this needs a decision on whether to fix/suppress the underlying audit findings (e.g. Generated by Claude Code |
Dependabot PR Review — updateThis PR has been open for 2 weeks and CI is still failing on the same two checks as when I last reviewed it:
This is a repo-wide CI configuration issue, not something specific to this PR — it's currently blocking every open Dependabot PR (#145–#154) from ever going green. Still holding off on approval/auto-merge. Reiterating from my previous review: the Generated by Claude Code |
Bumps the npm_and_yarn group with 2 updates in the / directory: @opentelemetry/core and esbuild.
Updates
@opentelemetry/corefrom 2.7.1 to 2.8.0Release notes
Sourced from @opentelemetry/core's releases.
Changelog
Sourced from @opentelemetry/core's changelog.
Commits
13a035bchore: prepare next release (#6756)4b13587Merge commit from fork71d195cchore(renovate): set minimumReleaseAge to 3 days (#6792)555fca6Update renovate.json to use matchManagers (#6141)b711a81docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...da70402fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)002267bchore: complete the move to the smaller SPDX license header (#6791)056ef9cfeat(sdk-metrics): implement metric reader metrics (#6449)3bd69cefix(configuration): improve environment variable substitution to handle all t...bfbda7cdocs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...Updates
esbuildfrom 0.27.7 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.