fix: remediate confirmed npm dependency alerts#191
Conversation
floreks
left a comment
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | You are working only in the pluralsh/marketing repository.... |
| 🔗 Run history | View run history |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Greptile SummaryThis PR remediates confirmed npm dependency alerts by bumping four direct packages:
Confidence Score: 4/5Safe to merge; changes are confined to dependency version bumps validated through install, build, and lint steps. All four bumped packages are straightforward patch/minor upgrades with no API-breaking changes observed in the lock file. The only notable gap is eslint-config-next remaining at 15.5.15 while next moves to 15.5.16 — a cosmetic misalignment that lint already passes through. The residual next advisory is acknowledged in the PR description as a known limitation of this batch. package.json — the eslint-config-next version should be kept in sync with next.
|
| Filename | Overview |
|---|---|
| package.json | Bumps next (15.5.15→15.5.16), next-intl (4.9.2→4.13.1), concurrently (9.2.1→9.2.3), and postcss (8.5.11→8.5.12); eslint-config-next is left at 15.5.15, mismatched with the new next version. |
| package-lock.json | Lock file regenerated to reflect the four bumped direct dependencies; transitive shell-quote is now at 1.8.4 (the targeted CVE fix), and @next/swc-* entries gain the new libc field introduced in this Next.js release. |
Reviews (1): Last reviewed commit: "fix: remediate confirmed npm dependency ..." | Re-trigger Greptile
| "concurrently": "9.2.1", | ||
| "concurrently": "9.2.3", | ||
| "eslint": "9.27.0", | ||
| "eslint-config-next": "15.5.15", |
There was a problem hiding this comment.
eslint-config-next is still pinned to 15.5.15 while next has been bumped to 15.5.16. These two packages are tightly coupled and are intended to be kept on the same version; a skew can cause the linter to reference rule sets and Next.js-specific checks that no longer match the runtime version. The PR confirms npm run lint passes today, but keeping them in sync avoids surprises on the next bump.
| "eslint-config-next": "15.5.15", | |
| "eslint-config-next": "15.5.16", |
Summary
package.jsonpackage-lock.jsonwith containerized npmDependency updates
next15.5.15->15.5.16next-intl4.9.2->4.13.1concurrently9.2.1->9.2.3(updates transitiveshell-quoteto1.8.4)postcss8.5.11->8.5.12Validation
npm install --package-lock-only --ignore-scripts✅npm ci --ignore-scripts✅npm run build✅npm run lint✅npm auditResidual alerts / risk
npm auditstill reports the current Next.js advisory fornextbecause npm now marks versions<15.5.18as vulnerable and suggests15.5.20as the non-breaking fix.npm auditalso still reports transitivepostcssundernext/node_modules/postcss.form-data,@prismicio/api-renderer/uuid, and some Slice Machine/Prismic dev tooling advisories.Existing PRs considered
#184,#188, and#190as supersedable context; this PR consolidates the currently confirmed direct package bumps into one branch.