chore: Bump vulnerable deps (#42182)

* Bump @modelcontextprotocol/sdk. * Bump qs. * Bump preact. * Bump react-router. * Bump @smithy/config-resolver. * Bump undici. * Bump devalue. * Bump h3. * Bump tar. * Bump diff. * Bump lodash. * Dedupe @aws-sdk/credential-providers.
2026-05-06 22:18:00 +08:00 · 2026-01-27 10:29:05 +01:00
parent 4c7748115b
commit 036740b5b5
10 changed files with 423 additions and 461 deletions
--- a/apps/docs/package.json
+++ b/apps/docs/package.json
@@ -77,7 +77,7 @@
    "jsrsasign": "^11.0.0",
    "katex": "^0.16.21",
    "libpg-query": "15.2.0",
-    "lodash-es": "^4.17.21",
+    "lodash-es": "catalog:",
    "lucide-react": "*",
    "mdast": "^3.0.0",
    "mdast-util-from-markdown": "^1.2.0",
--- a/apps/studio/package.json
+++ b/apps/studio/package.json
@@ -34,7 +34,7 @@
    "@ai-sdk/provider": "^2.0.0",
    "@ai-sdk/provider-utils": "^3.0.0",
    "@ai-sdk/react": "2.0.52",
-    "@aws-sdk/credential-providers": "^3.804.0",
+    "@aws-sdk/credential-providers": "^3.830.0",
    "@dagrejs/dagre": "^1.0.4",
    "@dnd-kit/core": "^6.1.0",
    "@dnd-kit/modifiers": "^9.0.0",
@@ -49,7 +49,7 @@
    "@heroicons/react": "^2.1.3",
    "@hookform/resolvers": "^3.1.1",
    "@mjackson/multipart-parser": "^0.10.1",
-    "@modelcontextprotocol/sdk": "^1.23.0",
+    "@modelcontextprotocol/sdk": "^1.24.0",
    "@monaco-editor/react": "^4.6.0",
    "@next/bundle-analyzer": "^16.0.3",
    "@number-flow/react": "^0.3.2",
@@ -99,7 +99,7 @@
    "immutability-helper": "^3.1.1",
    "ip-num": "^1.5.1",
    "json-logic-js": "^2.0.2",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "lucide-react": "^0.436.0",
    "markdown-table": "^3.0.3",
    "memoize-one": "^5.0.1",
--- a/apps/ui-library/package.json
+++ b/apps/ui-library/package.json
@@ -98,11 +98,11 @@
    "@types/react": "catalog:",
    "@types/react-dom": "catalog:",
    "config": "workspace:^",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "mdast-util-toc": "^6.1.1",
    "postcss": "^8.5.3",
    "react-dropzone": "^14.3.8",
-    "react-router": "^7.5.2",
+    "react-router": "^7.12.0",
    "rimraf": "^4.1.3",
    "shadcn": "^3.0.0",
    "shiki": "^1.1.7",
--- a/blocks/vue/package.json
+++ b/blocks/vue/package.json
@@ -10,7 +10,7 @@
    "typecheck": "tsc --noEmit -p tsconfig.json"
  },
  "dependencies": {
-    "h3": "^1.15.4",
+    "h3": "^1.15.5",
    "nuxt": "^4.0.3",
    "class-variance-authority": "^0.7.1",
    "tailwind-merge": "^3.3.1",
--- a/packages/common/package.json
+++ b/packages/common/package.json
@@ -19,7 +19,7 @@
    "configcat-js": "^9.5.1",
    "dat.gui": "^0.7.9",
    "flags": "^4.0.0",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "next-themes": "^0.3.0",
    "posthog-js": "^1.257.2",
    "react-use": "^17.4.0",
--- a/packages/generator/package.json
+++ b/packages/generator/package.json
@@ -26,7 +26,7 @@
    "@types/json-stringify-safe": "^5.0.0",
    "@types/lodash": "^4.14.202",
    "json-stringify-safe": "^5.0.1",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "tsconfig": "workspace:*",
    "tsx": "catalog:"
  }
--- a/packages/ui-patterns/package.json
+++ b/packages/ui-patterns/package.json
@@ -650,7 +650,7 @@
    "github-slugger": "^2.0.0",
    "icons": "workspace:*",
    "js-yaml": "^3.14.1",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "lucide-react": "*",
    "mdast": "^3.0.0",
    "monaco-editor": "*",
--- a/packages/ui/package.json
+++ b/packages/ui/package.json
@@ -58,7 +58,7 @@
    "framer-motion": "^11.0.3",
    "highlightjs-curl": "^1.3.0",
    "input-otp": "^1.2.3",
-    "lodash": "^4.17.21",
+    "lodash": "catalog:",
    "lucide-react": "^0.436.0",
    "mermaid": "^11.12.1",
    "next-themes": "^0.3.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -14,6 +14,8 @@ catalog:
  '@types/react': ^18.3.0
  '@types/react-dom': ^18.3.0
  next: ^15.5.10
+  lodash-es: ^4.17.23
+  lodash: ^4.17.23
  react: ^18.3.0
  react-dom: ^18.3.0
  recharts: ^2.15.4
@@ -52,20 +54,34 @@ minimumReleaseAgeExclude:
  - '@vitejs/plugin-rsc'
  - stripe-experiment-sync # TODO(matlin) remove, temp just to unblock launch
  - braintrust
+  - tar
+  - diff
+  - lodash-es
+  - lodash

 onlyBuiltDependencies:
  - supabase

 overrides:
  '@eslint/eslintrc>js-yaml': ^4.1.1
+  '@nuxt/devtools-wizard>diff': ^8.0.3
  '@react-router/dev>vite-node': 3.2.4
  '@redocly/respect-core>form-data': ^4.0.4
  '@redocly/respect-core>js-yaml': ^4.1.1
  '@tanstack/directive-functions-plugin>vite': 'catalog:'
  '@tanstack/react-start-plugin>vite': 'catalog:'
+  '@tanstack/start-server-core>h3': ^1.15.5
+  '@tanstack/react-start-server>h3': ^1.15.5
+  '@smithy/config-resolver': ^4.4.0
  esbuild: ^0.25.2
  nodemailer: ^7.0.11
+  lodash-es: 'catalog:'
+  lodash: 'catalog:'
+  payload>undici: ^7.18.2
+  preact: 10.26.10
  refractor>prismjs: ^1.30.0
-  tar: ^7.0.0
+  shadcn>diff: ^8.0.3
+  tar: ^7.5.4
  tmp: ^0.2.4
  vinxi>vite: 'catalog:'
+  vinxi>h3: ^1.15.5