Bump lodash and @graphql-codegen/cli in /catalog

[dependabot]

Bumps lodash and @graphql-codegen/cli. These dependencies needed to be updated together.
Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates @graphql-codegen/cli from 1.21.8 to 6.1.1

Changelog

Sourced from @​graphql-codegen/cli's changelog.

6.1.1

Patch Changes

• #10569 8cb7d43 Thanks @​etr2460! - fix(graphql-codegen-cli): Don't hang when 0 CPUs are found

  Fixes generation when 0 CPUs are returned by os.cpus(), which occurs in sandbox environments.

6.1.0

Minor Changes

• #10510 9e70bcb Thanks @​nickmessing! - add importExtension configuration option

Patch Changes

• Updated dependencies [9e70bcb]:
  • @​graphql-codegen/plugin-helpers@​6.1.0
  • @​graphql-codegen/client-preset@​5.2.0

6.0.2

Patch Changes

• #10430 aad7f03 Thanks @​renovate! - dependencies updates:
  • Updated dependency @graphql-tools/github-loader@^9.0.0 ↗︎ (from ^8.0.0, in dependencies)
  • Updated dependency @graphql-tools/url-loader@^9.0.0 ↗︎ (from ^8.0.0, in dependencies)
• Updated dependencies []:
  • @​graphql-codegen/client-preset@​5.1.2

6.0.1

Patch Changes

• #10468 cb1b9d9 Thanks @​eddeee888! - In watch mode, do not write output on failure

  Previously, on partial or full failure, watch mode still write to output. However, since the output'd be an empty array, it will then call removeStaleFiles internally to remove all previously generated files.

  This patch puts a temporary fix to avoid writing output on any failure to fix the described behaviour.

  This also means the config.allowPartialOutputs does not work in watch mode for now.

6.0.0

Major Changes

• #10218 140298a Thanks @​eddeee888! - Drop @​graphql-tools/prisma-loader

• #10218 140298a Thanks @​eddeee888! - Add allowPartialOutputs flag to partially write successful generation to files

... (truncated)

Commits

• 62c7618 chore(release): update monorepo packages versions (#10570)
• 8cb7d43 fix(graphql-codegen-cli): Don't hang when 0 CPUs are found (#10569)
• bec7e74 chore(release): update monorepo packages versions (#10513)
• 9e70bcb feat: add importExtension configuration option (#10510)
• 135ce4d chore(release): update monorepo packages versions (#10484)
• aad7f03 fix(deps): update graphql-tools (major) (#10430)
• c87b779 [CLI] Create watcher.run.spec to test actual running behaviour (#10474)
• ed30b56 chore(deps): update dependency vitest to v4 (#10475)
• 8fd495f chore(release): update monorepo packages versions (#10469)
• cb1b9d9 CODEGEN-866 [CLI] Fix generated files disappearing in watch mode (#10468)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by theguild-bot, a new releaser for @​graphql-codegen/cli since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR updates two dependencies in the catalog: lodash (security fix) and @graphql-codegen/cli (major version upgrade).

Key Changes:

• lodash: 4.17.21 → 4.17.23 (fixes prototype pollution in baseUnset function - good security update)
• @graphql-codegen/cli: 1.21.8 → 6.1.1 (5 major versions jump)

Critical Issue:
The @graphql-codegen/cli was upgraded from v1 to v6, but all related plugins remain at v1 (near-operation-file-preset, typed-document-node, typescript, typescript-operations, urql-introspection). This version mismatch will likely cause compatibility issues when running the gql:generate script. The v6 CLI has breaking changes including:

• Dropped @graphql-tools/prisma-loader support
• New allowPartialOutputs flag behavior
• Updated peer dependencies for GraphQL Tools packages (v8-v9)
• Different plugin API expectations

Recommendation:
Either downgrade @graphql-codegen/cli back to v1.x or upgrade all related @graphql-codegen/* plugins to their v5-v6 equivalents to maintain compatibility.

Confidence Score: 2/5

• This PR has a critical compatibility issue that will likely break GraphQL code generation
• While the lodash security update (4.17.21 to 4.17.23) is appropriate and fixes prototype pollution vulnerability, the @graphql-codegen/cli upgrade from v1.21.8 to v6.1.1 skips 4 major versions while leaving all plugin dependencies at v1. This version mismatch between CLI v6 and v1 plugins will likely cause runtime errors when running npm run gql:generate
• catalog/package.json requires attention - all @graphql-codegen plugins need updating to match CLI v6

Important Files Changed

Filename	Overview
catalog/package.json	Updated lodash from 4.17.21 to 4.17.23 (security fix) and @graphql-codegen/cli from 1.21.8 to 6.1.1 (major version jump), potential compatibility issues with v1 plugins
catalog/package-lock.json	Lockfile reflects dependency updates with many transitive dependency changes from @graphql-codegen/cli v6 upgrade

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant NPM as NPM Registry
    participant Dep as Dependabot
    participant Pkg as package.json
    participant Lock as package-lock.json
    
    Dep->>NPM: Check for lodash updates
    NPM-->>Dep: 4.17.23 available (security fix)
    Dep->>NPM: Check for @graphql-codegen/cli updates
    NPM-->>Dep: 6.1.1 available
    
    Dep->>Pkg: Update lodash: 4.17.21 → 4.17.23
    Dep->>Pkg: Update @graphql-codegen/cli: 1.21.8 → 6.1.1
    Dep->>Lock: Resolve all transitive dependencies
    Lock->>NPM: Fetch updated lodash
    Lock->>NPM: Fetch @graphql-codegen/cli v6
    Lock->>NPM: Fetch new transitive deps (relay-compiler, envelop, etc)
    
    Note over Pkg,Lock: Plugin versions remain at v1<br/>(compatibility issue)
    
    Dev->>Pkg: Run npm run gql:generate
    Pkg->>Lock: Load @graphql-codegen/cli v6
    Lock->>Lock: Load @graphql-codegen plugins v1
    Note over Lock: Version mismatch!<br/>CLI v6 expects v5-v6 plugins

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: @graphql-codegen/cli was upgraded from v1.21.8 to v6.1.1 (skipping v2-v5), but all related plugins remain at v1:

• @graphql-codegen/near-operation-file-preset: ^1.18.6
• @graphql-codegen/typed-document-node: ^1.18.10
• @graphql-codegen/typescript: ^1.23.0
• @graphql-codegen/typescript-operations: ^1.18.4
• @graphql-codegen/urql-introspection: ^1.3.1

This version mismatch may cause compatibility issues when running npm run gql:generate. The v6 CLI introduced breaking changes including dropping @graphql-tools/prisma-loader and adding allowPartialOutputs flag.