Skip to content

Bump the npm_and_yarn group across 1 directory with 2 updates #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
allyelvis merged 2 commits into from
Dec 4, 2024
Merged

Bump the npm_and_yarn group across 1 directory with 2 updates #6

allyelvis merged 2 commits into from
Dec 4, 2024

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 27, 2024
edited by sourcery-ai bot
Loading

Bumps the npm_and_yarn group with 2 updates in the / directory: debug and heroku.

Updates debug from 2.6.9 to 4.3.4

Release notes

Sourced from debug's releases.

4.3.4

What's Changed

New Contributors

Full Changelog: debug-js/debug@4.3.3...4.3.4

4.3.3

Patch Release 4.3.3

This is a documentation-only release. Further, the repository was transferred. Please see notes below.

Thank you to @​taylor1791 and @​kristofkalocsai for their contributions.

Repository Migration Information

I've formatted this as a FAQ, please feel free to open an issue for any additional question and I'll add the response here.

Q: What impact will this have on me?

In most cases, you shouldn't notice any change.

The only exception I can think of is if you pull code directly from https://github.com/visionmedia/debug, e.g. via a "debug": "visionmedia/debug"-type version entry in your package.json - in which case, you should still be fine due to the automatic redirection Github sets up, but you should also update any references as soon as possible.

Q: What are the security implications of this change?

If you pull code directly from the old URL, you should update the URL to https://github.com/debug-js/debug as soon as possible. The old organization has many approved owners and thus a new repository could (in theory) be created at the old URL, circumventing Github's automatic redirect that is in place now and serving malicious code. I (@​qix-) also wouldn't have access to that repository, so while I don't think it would happen, it's still something to consider.

Even in such a case, however, the officially released package on npm (debug) would not be affected. That package is still very much under control (even more than it used to be).

Q: What should I do if I encounter an issue related to the migration?

Search the issues first to see if someone has already reported it, and then open a new issue if someone has not.

Q: Why was this done as a 'patch' release? Isn't this breaking?

No, it shouldn't be breaking. The package on npm shouldn't be affected (aside from this patch release) and any references to the old repository should automatically redirect.

Thus, according to all of the "APIs" (loosely put) involved, nothing should have broken.

... (truncated)

Commits
  • da66c86 4.3.4
  • 9b33412 replace deprecated String.prototype.substr() (#876)
  • c0805cc add section about configuring JS console to show debug messages (#866)
  • 043d3cd 4.3.3
  • 4079aae update license and more maintainership information
  • 19b36c0 update repository location + maintainership information
  • f851b00 adds README section regarding usage in child procs (#850)
  • d177f2b Remove accidental epizeuxis
  • e47f96d 4.3.2
  • 1e9d38c cache enabled status per-logger (#799)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by qix, a new releaser for debug since your current version.


Updates heroku from 8.1.9 to 8.11.5

Release notes

Sourced from heroku's releases.

v8.11.5

  • c5128a7fb chore(auth): update warning copy (#2842)
  • 49c52d0ee fix: add quotation marks around public key in sign/deb script (#2849)
  • c8fa03362 chore: update opentelemetry/instrumentation to 0.50.0 and improve integration test runs (#2834)

v8.11.4

  • 697df3830 chore(telemetry): add environment variable to optionally disable telemetry (#2810)

v8.11.3

  • 33f8aac63 fix(authorizations): surface api warnings in temporary fix (#2804)
  • 381575fba Bump heroku-color (#2797)

v8.11.2

  • 8257348f6 Update description of auth topic (#2792)
  • 3432d7e96 rename vars to secrets (#2790)
  • 4ddead432 chore(auth): update warning message for auth:token (#2750)
  • 2a72431b0 add ChangeManagement environment to CTC check (#2789)
  • d6a201e7b chore(ci) Add ctc check to release and pre-release workflows (#2765)
  • be8d0b61d chore(deps): bump inquirer and @​types/inquirer (#2766)
  • c3d2ea9cc chore(deps-dev): bump standard from 12.0.1 to 17.1.0 (#2701)
  • 95023079c chore(deps): bump semver from 5.6.0 to 7.6.0 (#2619)
  • 89c3169ef fix(workflow): update version output (#2747)
  • 69e04eb91 Update mocha and timeout (#2748)

v8.11.1

  • e0457f217 Remove semver from resolutions & reinstate in /cli package.json (#2743)
  • 853b94f3f fix(ps): update larger dyno checking (#2741)
  • 450aa64a8 chore: remove snyk files and upgrade and resolve dependencies (#2736)

v8.11.0

  • 32e97bb0a Update pg:upgrade description (#2729)
  • 6313a26e1 Update test-installed-cli workflow (#2723)
  • 7428df014 chore(W-15263489): improve unit test performance (#2716)
  • d23407c0e bug(local): Ignore env specification when it's not a file (#2698)
  • 20665ff4c Update apps & pipelines in test installation workflow to fix errors (#2714)
  • de144efeb chore: add initial workflow for updating devcenter documentation (#2703)
  • 3c70a9fc7 Update test_release script (#2704)
  • 748e71c10 fix(workflow): remove fig command & update workflow (#2686)
  • efec0951b fix(cli): use uuid rather than addon name for pg:credentials (#2042)
  • 3c74d2a35 chore: fix spelling (#2694)
  • 728262c44 Update depcheck to 1.4.7 (#2684)
  • d6d15c349 chore: fix empty stampy workflow (#2626)
  • fd574ca03 Switch from --rebase to --ff-only (#2680)
  • 2a4ab7952 Increase network timeout for integration tests (#2682)
  • 62975a001 chore(deps): bump debug and @​types/debug (#2562)
  • 17605c37f chore(deps): bump debug from 4.1.1 to 4.3.1 in /packages/cli (#2544)
  • 536b2ecdf fix(workflow): update fig autocomplete workflow (#2679)
  • 7105fb6b8 feat(workflow): add fig autocomplete workflow (#2666)
  • c062c5909 feat(pg:upgrade): support essential dbs (#2637)
  • bffd99861 Update Mocha to 8.4.0 (#2652)

... (truncated)

Changelog

Sourced from heroku's changelog.

8.11.5 (2024-04-30)

Note: Version bump only for package heroku

8.11.4 (2024-04-16)

Note: Version bump only for package heroku

8.11.3 (2024-04-15)

Bug Fixes

  • authorizations: surface api warnings in temporary fix (#2804) (33f8aac)

8.11.2 (2024-04-10)

Note: Version bump only for package heroku

8.11.1 (2024-03-25)

Note: Version bump only for package heroku

8.11.0 (2024-03-20)

Bug Fixes

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Sourcery

Update dependencies in the npm_and_yarn group by bumping 'debug' from version 2.6.9 to 4.3.4 and 'heroku' from version 8.1.9 to 8.11.5 in the package.json file.

@dependabot
Bump the npm_and_yarn group across 1 directory with 2 updates
8d47d24 
Bumps the npm_and_yarn group with 2 updates in the / directory: [debug](https://github.com/debug-js/debug) and [heroku](https://github.com/heroku/cli).


Updates `debug` from 2.6.9 to 4.3.4
- [Release notes](https://github.com/debug-js/debug/releases)
- [Commits](debug-js/debug@2.6.9...4.3.4)

Updates `heroku` from 8.1.9 to 8.11.5
- [Release notes](https://github.com/heroku/cli/releases)
- [Changelog](https://github.com/heroku/cli/blob/main/CHANGELOG.md)
- [Commits](heroku/cli@v8.1.9...v8.11.5)

---
updated-dependencies:
- dependency-name: debug
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: heroku
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 27, 2024
@sourcery-ai
Copy link

sourcery-ai bot commented Nov 27, 2024
edited
Loading

Reviewer's Guide by Sourcery

This PR updates two npm dependencies in the project: debug (2.6.9 → 4.3.4) and heroku (8.1.9 → 8.11.5). The changes are implemented through direct version bumps in the package.json and package-lock.json files.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change Details Files
Update heroku CLI dependency to latest version
  • Bump version from 8.1.9 to 8.11.5
  • Add environment variable option to disable telemetry
  • Improve authorization warnings handling
  • Update various CLI commands and their descriptions
  • Fix issues with pg:credentials and local environment handling
 package.json
package-lock.json
Update debug library to latest version
  • Bump version from 2.6.9 to 4.3.4
  • Replace deprecated String.prototype.substr()
  • Add documentation for configuring JS console debug messages
  • Update repository location and maintainership information
 package.json
package-lock.json
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Nov 27, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, dependabot[bot]!). We assume it knows what it's doing!

@allyelvis allyelvis merged commit c200839 into main Dec 4, 2024
1 of 4 checks passed
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-0949ef03b3 branch December 4, 2024 01:26
@guardrails
Copy link

guardrails bot commented Dec 4, 2024

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)
Severity Details
High pkg:npm/heroku@8.11.5 upgrade to: > 8.11.5

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@allyelvis