chore(deps): update dependency tsup to v8.3.5 [security]#542
Open
svc-secops wants to merge 1 commit into
Open
Conversation
svc-secops
added
dependencies
Contributor
Author
|
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
❌ Deploy Preview for apollo-client-nextjs-docmodel failed.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✅ Files skipped from review due to trivial changes (3)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughUpdates the tsup devDependency from version 8.0.2 to 8.3.5 across four package.json files in different packages. No functional changes, control flow modifications, or public API alterations. Changestsup Dependency Upgrade
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/nextjs/package.json`:
- Line 102: package.json was updated to require tsup@8.3.5 but the yarn.lock was
not regenerated; run a reproducible install to update the lockfile so CI passes:
update the lockfile by running yarn install (or yarn install --pure-lockfile)
from the repo root, ensure tsup@8.3.5 is present in yarn.lock, commit the
updated yarn.lock along with the package.json changes (affecting
packages/nextjs, packages/react-router, packages/tanstack-start,
packages/client-react-streaming) so yarn install --immutable succeeds in CI.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 475d9cd7-8927-456a-afc0-565456941539
📒 Files selected for processing (4)
packages/client-react-streaming/package.jsonpackages/nextjs/package.jsonpackages/react-router/package.jsonpackages/tanstack-start/package.json
📜 Review details
🔇 Additional comments (3)
packages/tanstack-start/package.json (1)
88-88: Same dependency-resolution blocker applies to this bump.Line 88 is part of the same monorepo
tsupupgrade set; keep this blocked until the lockfile/peer-resolution verification from the prior comment passes repo-wide.packages/client-react-streaming/package.json (1)
167-167: Same dependency-resolution blocker applies to this bump.Line 167 should ship with the rest of the
tsupupgrades only after immutable install and peer checks are clean across the monorepo.packages/react-router/package.json (1)
85-85: Same dependency-resolution blocker applies to this bump.Line 85 participates in the same
tsupupgrade batch; please merge only once lock/artifact and peer-resolution verification is passing for the repo.
| "rimraf": "5.0.5", | ||
| "rxjs": "^7.8.2", | ||
| "tsup": "8.0.2", | ||
| "tsup": "8.3.5", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "1) Confirm all tsup bumps:"
rg -n '"tsup": "8\.3\.5"' --type-add 'json:*.json' --type json
echo "2) Confirm yarn.lock has tsup 8.3.5 resolution:"
rg -n 'tsup@npm:8\.3\.5|tsup@8\.3\.5' yarn.lock
echo "3) Validate immutable install (must pass):"
yarn install --immutable --mode=skip-build
echo "4) Print peer diagnostics for any remaining conflicts:"
yarn explain peer-requirementsRepository: apollographql/apollo-client-integrations
Length of output: 402
Update lockfile before merging.
The tsup@8.3.5 updates are present in package.json files (packages/nextjs, packages/react-router, packages/tanstack-start, packages/client-react-streaming), but yarn.lock does not contain the resolved tsup@8.3.5 dependency. The lockfile must be regenerated to match the package.json updates, as yarn install --immutable currently fails, which will break reproducible installs and CI.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/nextjs/package.json` at line 102, package.json was updated to
require tsup@8.3.5 but the yarn.lock was not regenerated; run a reproducible
install to update the lockfile so CI passes: update the lockfile by running yarn
install (or yarn install --pure-lockfile) from the repo root, ensure tsup@8.3.5
is present in yarn.lock, commit the updated yarn.lock along with the
package.json changes (affecting packages/nextjs, packages/react-router,
packages/tanstack-start, packages/client-react-streaming) so yarn install
--immutable succeeds in CI.
06c937a to
751e6b0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.0.2→8.3.5tsup DOM Clobbering vulnerability
CVE-2024-53384 / GHSA-3mv9-4h5g-vhg3
More information
Details
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:PReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
egoist/tsup (tsup)
v8.3.5Compare Source
🐞 Bug Fixes
experimentalDtsonly once - by @aryaemami59 in #1236 (fddd4)View changes on GitHub
v8.3.4Compare Source
No significant changes
View changes on GitHub
v8.3.0Compare Source
Bug Fixes
experimentalDtsfile cleaning and watching (#1199) (76dc18b)Features
ctsandmtsconfig files (#1178) (ec811b3)injectStyle(#1193) (f25a9db)v8.2.4Compare Source
Bug Fixes
v8.2.3Compare Source
Bug Fixes
v8.2.2Compare Source
Bug Fixes
globbywith faster alternative (#1158)" (2de6dd5)v8.2.1Compare Source
Bug Fixes
v8.2.0Compare Source
Features
v8.1.2Compare Source
Bug Fixes
v8.1.1Compare Source
v8.1.0Compare Source
Features
Configuration
📅 Schedule: (in timezone Etc/UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Summary by CodeRabbit