Skip to content

Bumping deps to avoid CVE (02/11/2025) #9264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
liranmauda wants to merge 1 commit into from
Closed

Bumping deps to avoid CVE (02/11/2025) #9264

liranmauda wants to merge 1 commit into from

Conversation

@liranmauda
Copy link
Contributor

@liranmauda liranmauda commented Nov 2, 2025
edited by coderabbitai bot
Loading

Explain the Changes

  • Bumping deps to avoid CVE (02/11/2025)

Summary by CodeRabbit

  • Chores
    • Updated multiple library dependencies across cloud providers, messaging, storage, and development tooling to their latest patch/minor releases for improved compatibility, security, and performance. No changes to public APIs or runtime behavior expected.

@coderabbitai
Copy link

coderabbitai bot commented Nov 2, 2025
edited
Loading

Walkthrough

Updates multiple dependency and devDependency versions in package.json (Azure, Google Cloud, Smithy, node-rdkafka, TypeScript, types, test frameworks, native tools). No source code, script logic, or exported/public API declarations were changed.

Changes

Cohort / File(s) Summary
Dependency manifest
package.json		 Bumped multiple dependencies and devDependencies: @azure/identity 4.12.0 → 4.13.0, @azure/storage-blob 12.29.0 → 12.29.1, @google-cloud/storage 7.17.1 → 7.17.2, @smithy/node-http-handler 4.2.1 → 4.4.4, node-rdkafka 3.5.0 → 3.6.0, mongo-query-to-postgres-jsonb 0.2.17 → 0.2.18, typescript 5.9.2 → 5.9.3, @types/node 22.18.6 → 22.18.13, @types/pg 8.15.5 → 8.15.6, jest 30.1.3 → 30.2.0, mocha 11.7.2 → 11.7.4, node-gyp 11.4.2 → 11.5.0, wtfnode 0.10.0 → 0.10.1, plus other minor bumps. No code changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review focus:
    • package.json full diff and any updated lockfile for transitive/peer changes.
    • Native dependency implications: node-rdkafka, node-gyp.
    • Cloud SDK version compatibility: Azure (@azure/*), Google Cloud (@google-cloud/storage), Smithy-related HTTP handler.
    • TypeScript and @types/* alignment with compile/test pipeline.

Possibly related PRs

Suggested labels

size/M

Suggested reviewers

  • nimrod-becker
  • jackyalbo

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The pull request title "Bumping deps to avoid CVE (02/11/2025)" directly and clearly summarizes the main change in the changeset. The raw summary confirms that the PR contains multiple dependency version bumps across various packages, and the PR objectives explicitly state the goal is to update dependencies to avoid a CVE. The title is specific and non-generic, using clear terminology ("Bumping deps" and "avoid CVE") that would allow teammates reviewing the history to quickly understand this is a security-related dependency update. The inclusion of the date provides additional context for tracking purposes.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4cd0a48 and 8ecd7bf.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json (3 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build Noobaa Image
  • GitHub Check: run-package-lock-validation
  • GitHub Check: run-jest-unit-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pull-request-size pull-request-size bot added size/S and removed size/M labels Nov 2, 2025
@liranmauda
Bumping deps to avoid CVE (02/11/2025)
8ecd7bf 
- Bumping deps to avoid CVE (02/11/2025)

Signed-off-by: liranmauda <[email protected]>
@liranmauda liranmauda closed this Nov 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

@nimrod-becker nimrod-becker Awaiting requested review from nimrod-becker

@jackyalbo jackyalbo Awaiting requested review from jackyalbo

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liranmauda