build(deps): bump the npm_and_yarn group across 4 directories with 5 updates#2172
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
build(deps): bump the npm_and_yarn group across 4 directories with 5 updates#2172dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
…updates Bumps the npm_and_yarn group with 4 updates in the / directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [next](https://github.com/vercel/next.js), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 1 update in the /apps/docs directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 1 update in the /scripts directory: [glob](https://github.com/isaacs/node-glob). Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0) Updates `next` from 15.4.1 to 15.4.8 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.4.1...v15.4.8) Updates `better-auth` from 1.3.12 to 1.4.2 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `next` from 15.4.1 to 15.4.8 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.4.1...v15.4.8) Updates `better-auth` from 1.3.12 to 1.4.2 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `glob` from 11.0.2 to 11.1.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v11.0.2...v11.1.0) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.4.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.4.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 11.1.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Greptile OverviewGreptile SummaryThis automated dependency update introduces a critical version conflict that will prevent the intended Next.js upgrade from taking effect. Key Issues🚨 Next.js Version Conflict (Critical)
✅ Security Updates Included
📋 Breaking Changes
RecommendationDo not merge until the Next.js version conflict is resolved. Either:
After resolving the version conflict, ensure better-auth migration is run before deployment. Confidence Score: 1/5
Important Files ChangedFile Analysis
Sequence DiagramsequenceDiagram
participant Dependabot
participant RootPackage as Root package.json
participant SimApp as apps/sim/package.json
participant DocsApp as apps/docs/package.json
participant Scripts as scripts/package.json
Note over Dependabot: Automated Dependency Update
Dependabot->>SimApp: Update next: 15.4.1 → 16.0.7
Dependabot->>SimApp: Update better-auth: 1.3.12 → 1.4.2
Dependabot->>SimApp: Update js-yaml: 4.1.0 → 4.1.1
Dependabot->>DocsApp: Update next: 15.4.1 → 15.4.8
Dependabot->>RootPackage: Update @modelcontextprotocol/sdk: 1.20.2 → 1.24.0
Dependabot->>Scripts: Update glob: 11.0.3 → 11.1.0
Note over RootPackage: Override Conflict!
RootPackage-->>SimApp: Force next@15.4.1 via overrides
Note over SimApp: Requested ^16.0.7<br/>but gets 15.4.1
SimApp-->>SimApp: Internal override conflict<br/>(line 101 vs line 167)
Note over DocsApp: ✓ Security fix CVE-2025-66478
Note over Scripts: ✓ Security fix GHSA-5j98-mcp5-4vw2
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Additional Comments (2)
-
apps/sim/package.json, line 167-168 (link)logic: Duplicate override definitions
This package has its own
overridessection that locks Next.js to15.4.1, but line 101 requests^16.0.7. This is internally inconsistent - the package both requires Next.js 16 and overrides it back to 15.4.1.Additionally, these overrides duplicate the root-level overrides and may not have the intended effect in a workspace setup (root overrides typically take precedence).
-
package.json, line 31-32 (link)logic: Override blocks Next.js 16.x upgrade
The
apps/sim/package.jsonnow depends onnext: ^16.0.7, but these overrides lock the entire workspace to15.4.1. This prevents the upgrade from taking effect.Check: Verify if Next.js 16.x is intentional or if
apps/simshould stay on 15.4.8 for the security fix.
4 files reviewed, 4 comments
| "mysql2": "3.14.3", | ||
| "nanoid": "^3.3.7", | ||
| "next": "^15.4.1", | ||
| "next": "^16.0.7", |
Contributor
There was a problem hiding this comment.
logic: Next.js 16.0.7 conflicts with workspace override
The root package.json overrides section locks Next.js to 15.4.1, but this package now requests ^16.0.7 (a major version bump). This creates a version conflict where the override will force 15.4.1 to be installed despite the 16.x requirement.
Impact: The application will run on Next.js 15.4.1 instead of 16.0.7, potentially causing runtime issues if the code uses Next.js 16 features.
Resolution: Either:
- Update the root
package.jsonoverrides to allow Next.js 16.x, OR - Revert this change to stay on Next.js 15.4.8 (which includes the security fix)
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/package.json
Line: 101:101
Comment:
**logic:** Next.js 16.0.7 conflicts with workspace override
The root `package.json` overrides section locks Next.js to `15.4.1`, but this package now requests `^16.0.7` (a major version bump). This creates a version conflict where the override will force 15.4.1 to be installed despite the 16.x requirement.
**Impact**: The application will run on Next.js 15.4.1 instead of 16.0.7, potentially causing runtime issues if the code uses Next.js 16 features.
**Resolution**: Either:
1. Update the root `package.json` overrides to allow Next.js 16.x, OR
2. Revert this change to stay on Next.js 15.4.8 (which includes the security fix)
How can I resolve this? If you propose a fix, please make it concise.| "@trigger.dev/sdk": "4.0.4", | ||
| "@types/three": "0.177.0", | ||
| "better-auth": "1.3.12", | ||
| "better-auth": "1.4.2", |
Contributor
There was a problem hiding this comment.
logic: Check database migration for better-auth 1.4.x
better-auth upgrade from 1.3.12 to 1.4.2 includes changes per the release notes:
- Session handling changes (session shouldn't be required in OIDC provider)
- Email-OTP capitalization handling fixes
- Database schema changes requiring migration
Check: Run better-auth migrate and verify session/auth functionality still works as expected, especially for OIDC and email-OTP flows.
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/sim/package.json
Line: 72:72
Comment:
**logic:** Check database migration for better-auth 1.4.x
better-auth upgrade from 1.3.12 to 1.4.2 includes changes per the release notes:
- Session handling changes (session shouldn't be required in OIDC provider)
- Email-OTP capitalization handling fixes
- Database schema changes requiring migration
Check: Run `better-auth migrate` and verify session/auth functionality still works as expected, especially for OIDC and email-OTP flows.
How can I resolve this? If you propose a fix, please make it concise.
Contributor
Author
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/npm_and_yarn-607729c0f0
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm_and_yarn group with 4 updates in the / directory: @modelcontextprotocol/sdk, next, better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /apps/docs directory: next.
Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.
Updates
@modelcontextprotocol/sdkfrom 1.20.2 to 1.24.0Release notes
Sourced from
@modelcontextprotocol/sdk's releases.... (truncated)
Commits
356b7e6chore: bump version for release (#1215)09623e2Merge commit from forkcf51343feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)8204126fix: allow zod 4 transformations (#1213)6083600Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...a6ee2cbfix: normalize null to undefined in ElicitResultSchema content field (#1204)4b651b8feat: add closeStandaloneSSEStream for GET stream polling (#1203)5ceabfbfix: normalize headers in sse transport (#856)f67fc2ffix: improve SSE reconnection behavior (#1191)fab7e1efeat: add closeSSEStream callback to RequestHandlerExtra (#1166)Maintainer changes
This version was pushed to npm by pcarleton, a new releaser for
@modelcontextprotocol/sdksince your current version.Updates
nextfrom 15.4.1 to 15.4.8Release notes
Sourced from next's releases.
Commits
4966847v15.4.8bf8d31cupdate version scriptbed530fUpdate React Version for Next.js 15.4.8 (#9)4309d93update tag17e6873[backport]:experimental.middlewareClientMaxBodySize(#84722)4da39f2[backport] fix: unstable_cache should perform blocking revalidation during IS...f30d815v15.4.71a026e3fix router handling when setting a location response header (#82588)be4aafdv15.4.691e5b6bBackport "fix: add?dplto fonts in/_next/static/media(#82384)" (#82421)Updates
better-authfrom 1.3.12 to 1.4.2Release notes
Sourced from better-auth's releases.
... (truncated)
Commits
f2c28ddchore: release v1.4.27e7a4cachore: release v1.4.2-beta.2a2e6a8aRevert "chore: lint (#6290)"5ea36abfix: signIn/signUp API returns user additional field (#6287)205c294chore(email-otp): unit tests for sign-in with capitalizations (#6238)201a7c2fix(oidc-provider): session shouldn't be required (#6282)1c1c913chore: more join tests for missing data scenarios (#6166)1c45f37feat(jwt): allow custom jwks endpoint (#6269)fc662c5chore: remove incorrect auth cli (#6242)fabf8dcdocs: updated og image and add merch link to community section (#6251)Updates
js-yamlfrom 4.1.0 to 4.1.1Changelog
Sourced from js-yaml's changelog.
Commits
cc482e74.1.1 released50968b8dist rebuildd092d86lint fix383665ffix prototype pollution in merge (<<)0d3ca7aREADME.md: HTTP => HTTPS (#678)49baadddoc: 'empty' style option for !!nullba3460eFix demo link (#618)Updates
nextfrom 15.4.1 to 15.4.8Release notes
Sourced from next's releases.
Commits
4966847v15.4.8bf8d31cupdate version scriptbed530fUpdate React Version for Next.js 15.4.8 (#9)4309d93update tag17e6873[backport]:experimental.middlewareClientMaxBodySize(#84722)4da39f2[backport] fix: unstable_cache should perform blocking revalidation during IS...f30d815v15.4.71a026e3fix router handling when setting a location response header (#82588)be4aafdv15.4.691e5b6bBackport "fix: add?dplto fonts in/_next/static/media(#82384)" (#82421)Updates
better-authfrom 1.3.12 to 1.4.2Release notes
Sourced from better-auth's releases.
... (truncated)
Commits
f2c28ddchore: release v1.4.27e7a4cachore: release v1.4.2-beta.2a2e6a8aRevert "chore: lint (#6290)"5ea36abfix: signIn/signUp API returns user additional field (#6287)205c294chore(email-otp): unit tests for sign-in with capitalizations (#6238)201a7c2fix(oidc-provider): session shouldn't be required (#6282)1c1c913chore: more join tests for missing data scenarios (#6166)1c45f37feat(jwt): allow custom jwks endpoint (#6269)fc662c5chore: remove incorrect auth cli (#6242)fabf8dcdocs: updated og image and add merch link to community section (#6251)Updates
js-yamlfrom 4.1.0 to 4.1.1Changelog
Sourced from js-yaml's changelog.
Commits
cc482e74.1.1 released50968b8dist rebuildd092d86lint fix383665ffix prototype pollution in merge (<<)0d3ca7aREADME.md: HTTP => HTTPS (#678)49baadddoc: 'empty' style option for !!nullba3460eFix demo link (#618)Updates
globfrom 11.0.2 to 11.1.0Changelog
Sourced from glob's changelog.
... (truncated)
Commits
2551fb511.1.047473c0bin: Do not expose filenames to shell expansionbc33fe1skip tilde test on systems that lack tilde expansion59bf9cafix notesdde4fa6docs(README): add #anchor and improvenotes0559b0edocs: add better links to path-scurry docsc9773c2fix: correct typos inREADME.md13e68eaFix punctuation in traversal function documentation1527e2bfix repo url7e190e8fix typomaths→pathsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.