Skip to content

Update all dependencies to fix vulnerabilities#277

Open
risantos wants to merge 1 commit intomasterfrom
support/dependencies
Open

Update all dependencies to fix vulnerabilities#277
risantos wants to merge 1 commit intomasterfrom
support/dependencies

Conversation

@risantos
Copy link
Member

@risantos risantos commented Feb 16, 2026

@risantos risantos self-assigned this Feb 16, 2026
Copilot AI review requested due to automatic review settings February 16, 2026 14:14
@risantos risantos requested review from a team as code owners February 16, 2026 14:14
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates all dependencies to address security vulnerabilities identified in 4 Dependabot alerts. The changes include updating the main runtime dependency (lodash) and multiple development dependencies including ESLint, Prettier, and various validator libraries used in tests.

Changes:

  • Updates lodash from 4.17.21 to 4.17.23 to fix security vulnerabilities
  • Updates development tooling (eslint, prettier, release-it, eslint-config-uphold) to latest versions
  • Updates validation library dependencies (bignumber.js, google-libphonenumber, validator) to patch versions
  • Updates transitive dependencies in yarn.lock including Babel, ESLint ecosystem packages, and other tools

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Updates direct dependencies: lodash (patch), bignumber.js (patch), eslint (9.28.0→9.39.2), eslint-config-uphold (minor), google-libphonenumber (patch), prettier (minor), release-it (patch), validator (patch), @fastify/pre-commit (patch)
yarn.lock Updates transitive dependencies including Babel 7.27→7.28, ESLint ecosystem packages, and various other tools. Notable updates include @babel/core, @babel/eslint-parser, eslint-plugin-jsdoc, and many @jridgewell packages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"@uphold/github-changelog-generator": "^4.0.2",
"abavalidator": "^2.0.2",
"bignumber.js": "^9.3.0",
"bignumber.js": "^9.3.1",
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update of bignumber.js to version 9.3.1 conflicts with the peerDependencies constraint which specifies ">=7 || <=9.3.0" (line 77) and the optionalPeerDependencies constraint ">=7 <=9.3.0" (line 141). The devDependency is being updated to ^9.3.1, which is outside the acceptable peer dependency range. This means that consumers of this package would see peer dependency warnings if they use bignumber.js 9.3.1 or higher.

Either update the peerDependencies constraints to allow 9.3.1 (e.g., ">=7 <=9.3.1" or ">=7 <9.4.0"), or keep bignumber.js at 9.3.0 if there's a specific reason for the upper bound constraint.

Suggested change
"bignumber.js": "^9.3.1",
"bignumber.js": "^9.3.0",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@risantos risantos

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@risantos