Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
There was a problem hiding this comment.
Pull request overview
This PR updates repository tooling versions (npm/pnpm) and refreshes the pnpm lockfile to reflect the new toolchain and deduplication outcomes.
Changes:
- Bump npm and pnpm versions in
.prototools - Update
pnpm-lock.yaml(deduping/peer-resolution changes, notably around@types/nodepeer sets)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
pnpm-lock.yaml |
Lockfile refresh/dedupe resulting in updated peer dependency resolutions and new deprecation metadata surfaced by pnpm. |
.prototools |
Toolchain version bumps for npm and pnpm. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| node = "20.20.0" | ||
| npm = "11.8.0" | ||
| pnpm = "10.28.2" | ||
| npm = "11.11.0" | ||
| pnpm = "10.30.3" |
There was a problem hiding this comment.
.prototools bumps pnpm to 10.30.3, but the repo root package.json still declares "packageManager": "pnpm@10.28.2" (package.json:85). This is a discrepancy with the PR description/tooling and can cause contributors/CI to keep using the older pnpm. Please update package.json#packageManager to match the new pnpm version (or intentionally remove/avoid pinning, but keep it consistent with the toolchain automation).
| basic-ftp@5.0.4: | ||
| resolution: {integrity: sha512-8PzkB0arJFV4jJWSGOYR+OEic6aeKMu/osRhBULN6RY0ykby6LKhbmuQ5ublvaas5BOwboah5D87nrHyuh8PPA==} | ||
| engines: {node: '>=10.0.0'} | ||
| deprecated: Security vulnerability fixed in 5.2.0, please upgrade |
There was a problem hiding this comment.
The lockfile now marks basic-ftp@5.0.4 as deprecated due to a security vulnerability fixed in 5.2.0. Since this version is still pulled in transitively (via get-uri@6.0.3 -> basic-ftp@5.0.4), please upgrade the dependency chain (e.g., bump get-uri/pac-proxy-agent to a version that depends on basic-ftp>=5.2.0) or add a pnpm override to force a patched basic-ftp version, so the repo isn’t shipping a known-vulnerable transitive dependency.
| basic-ftp@5.0.4: | |
| resolution: {integrity: sha512-8PzkB0arJFV4jJWSGOYR+OEic6aeKMu/osRhBULN6RY0ykby6LKhbmuQ5ublvaas5BOwboah5D87nrHyuh8PPA==} | |
| engines: {node: '>=10.0.0'} | |
| deprecated: Security vulnerability fixed in 5.2.0, please upgrade | |
| basic-ftp@5.2.0: | |
| resolution: {integrity: sha512-8PzkB0arJFV4jJWSGOYR+OEic6aeKMu/osRhBULN6RY0ykby6LKhbmuQ5ublvaas5BOwboah5D87nrHyuh8PPA==} | |
| engines: {node: '>=10.0.0'} |
This PR updates the toolchain (node, npm, pnpm) to the newest versions and deduplicates packages