Skip to content

chore(deps): batch dependabot patches (#879, #899, #900, #901)#904

Merged
cjroth merged 1 commit into
mainfrom
raivieiraadriano92/dependabot-batch-patches
May 26, 2026
Merged

chore(deps): batch dependabot patches (#879, #899, #900, #901)#904
cjroth merged 1 commit into
mainfrom
raivieiraadriano92/dependabot-batch-patches

Conversation

@raivieiraadriano92

@raivieiraadriano92 raivieiraadriano92 commented May 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Lands four safe patch-level dependabot PRs in a single batch — same shape as #893. Lockfiles regenerated locally with bun (dependabot doesn't support bun).

Commit

Landed PRs

npm — deploy/pulumi

npm — backend

Cargo — src-tauri

GitHub Actions

  • chore(deps): bump the actions group across 1 directory with 4 updates #901 — actions group across 1 directory with 4 updates:
    • github/codeql-action/upload-sarif v4.35.3 → v4.35.5 (.github/workflows/security.yml)
    • actions/create-github-app-token v3.1.1 → v3.2.0 (.github/workflows/version-bump.yml)
    • ruby/setup-ruby SHA bump, still tagged v1 (.github/workflows/ios-release.yml)
    • taiki-e/install-action SHA bump, still tagged v2 (.github/workflows/version-bump.yml)

Verification

  • cargo check in src-tauri/ — compiles cleanly with serde_json@1.0.150 (full tauri tree, 25.95s)
  • bun run type-check in backend/ — clean
  • bun run lint in backend/ — 0 errors (81 pre-existing warnings, unchanged)
  • ✅ Both bun.lock diffs reviewed — minimal: just the version + integrity hash bumps, no transitive churn

Side notes

While running bun install in backend/, two small lockfile drifts surfaced and were captured (no package.json edits made):

  • @opentelemetry/exporter-trace-otlp-proto@0.218.0 — added to the lockfile (already in package.json, just missing from the lockfile)
  • @types/bun / bun-types resolved minor patch within their existing ^ ranges

Not in this PR

Test plan

  • CI: workflows pass (especially security.yml with the new codeql v4.35.5 SARIF uploader and version-bump.yml with the new app-token v3.2.0)
  • iOS release workflow: confirm ruby/setup-ruby still resolves ruby-version: '3.0' correctly

Note

Low Risk
Patch-only version and CI action SHA updates with no product code changes; release/version-bump workflows use updated tokens but remain the same steps.

Overview
This PR batches four patch-level dependency updates (Dependabot-style) with matching lockfile refreshes—no application logic changes.

GitHub Actions pins move forward in security.yml (upload-sarif to CodeQL v4.35.5), version-bump.yml (create-github-app-token v3.2.0, taiki-e/install-action SHA), and ios-release.yml (ruby/setup-ruby SHA, still v1).

npm: backend bumps dev-only @react-email/ui 6.1.46.1.5; deploy/pulumi bumps @pulumi/docker-build ^0.0.16^0.0.17 with bun.lock updates.

Rust: src-tauri bumps direct serde_json 1.0.1491.0.150 in Cargo.toml and Cargo.lock.

Reviewed by Cursor Bugbot for commit 60058a7. Bugbot is set up for automated code reviews on this repo. Configure here.

@raivieiraadriano92 raivieiraadriano92 self-assigned this May 26, 2026
@raivieiraadriano92 raivieiraadriano92 added the dependencies Pull requests that update a dependency file label May 26, 2026
@github-actions

Copy link
Copy Markdown

Semgrep Security Scan

No security issues found.

@raivieiraadriano92 raivieiraadriano92 marked this pull request as ready for review May 26, 2026 21:28
@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown

Preview environment destroyed 🧹

Stack preview-pr-904 and its Cloudflare subdomain have been cleaned up.

@github-actions

Copy link
Copy Markdown

PR Metrics

Metric Value
Lines changed (prod code) +7 / -7
JS bundle size (gzipped) 🟢 1.14 MB → 1.13 MB (-5.9 KB, -0.5%)
Test coverage 🟢 72.22% → 72.22% (+0.0%)
Performance (preview) Preview not ready — Render deploy may have timed out
Accessibility
Best Practices
SEO

Updated Tue, 26 May 2026 21:33:23 GMT · run #1617

@cjroth cjroth merged commit 6441bc3 into main May 26, 2026
32 of 38 checks passed
@cjroth cjroth deleted the raivieiraadriano92/dependabot-batch-patches branch May 26, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants