You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR bumps a broad set of dependencies across the root app, deploy tools, and UI toolkit to address known security vulnerabilities reported by Dependabot and pnpm audit.
Updates include OpenTelemetry packages (@opentelemetry/auto-instrumentations-node, @opentelemetry/sdk-node, @opentelemetry/api), the ws override (8.17.1 → 8.21.0), Vite (6.4.2 → 6.4.3) in deploy tools and toolkit, and assorted runtime and dev dependencies (e.g. graphql, phoenix, swagger-ui-react, xss, type packages). Temporary minimumReleaseAgeExclude entries were added in pnpm-workspace.yaml for form-data@4.0.6 and @opentelemetry/core@2.8.0 (to be removed after 2026-06-20).
Proposed Changes
Bump root package.json dependencies and devDependencies to patched versions
Bump vite, dotenv-cli, and yup in deploy tool packages
Bump vite in @blockscout/ui-toolkit
Update ws override in pnpm-workspace.yaml to 8.21.0
Add temporary minimumReleaseAgeExclude entries for recently released security patches
Regenerate pnpm-lock.yaml
No environment variable changes.
Breaking or Incompatible Changes
None expected. These are patch/minor version bumps intended to be drop-in replacements.
Additional Information
Commit: 43eceb774 — "bump up packages to mitigate some security vulnerabilities"
Checklist for PR author
I have tested these changes locally.
I added tests to cover any new functionality, following this guide
Whenever I fix a bug, I include a regression test to ensure that the bug does not reappear silently.
If I have added a feature or functionality that is not privacy-compliant (e.g., tracking, analytics, third-party services), I have disabled it for private mode.
If I have added, changed, renamed, or removed an environment variable
I updated the list of environment variables in the documentation
I made the necessary changes to the validator script according to the guide
Auto reviews are disabled on this repository. To trigger a review, include @coderabbitai review in the PR description. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: c4fa7bbe-5549-4d5a-bc55-5d4938f2f6c2
You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.
Use the checkbox below for a quick retry:
🔍 Trigger review
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency file
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description and Related Issue(s)
This PR bumps a broad set of dependencies across the root app, deploy tools, and UI toolkit to address known security vulnerabilities reported by Dependabot and pnpm audit.
Updates include OpenTelemetry packages (
@opentelemetry/auto-instrumentations-node,@opentelemetry/sdk-node,@opentelemetry/api), thewsoverride (8.17.1 → 8.21.0), Vite (6.4.2 → 6.4.3) in deploy tools and toolkit, and assorted runtime and dev dependencies (e.g.graphql,phoenix,swagger-ui-react,xss, type packages). TemporaryminimumReleaseAgeExcludeentries were added inpnpm-workspace.yamlforform-data@4.0.6and@opentelemetry/core@2.8.0(to be removed after 2026-06-20).Proposed Changes
package.jsondependencies and devDependencies to patched versionsvite,dotenv-cli, andyupin deploy tool packagesvitein@blockscout/ui-toolkitwsoverride inpnpm-workspace.yamlto 8.21.0minimumReleaseAgeExcludeentries for recently released security patchespnpm-lock.yamlNo environment variable changes.
Breaking or Incompatible Changes
None expected. These are patch/minor version bumps intended to be drop-in replacements.
Additional Information
Commit:
43eceb774— "bump up packages to mitigate some security vulnerabilities"Checklist for PR author