Skip to content

Lock file maintenance npm dependencies (main)#3370

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies
Open

Lock file maintenance npm dependencies (main)#3370
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies

Conversation

@red-hat-konflux

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 04:59 AM (* 0-4 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:49 AM UTC · Completed 4:58 AM UTC
Commit: 47d3320 · View workflow run →

@codecov

codecov Bot commented Jun 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 53.62% <ø> (+<0.01%) ⬆️
generative 17.18% <ø> (ø)
integration 28.36% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review — Approve

PR: #3370 — Lock file maintenance npm dependencies (main)
Author: red-hat-konflux[bot] (Renovate/MintMaker)
Scope: 1 file (package-lock.json), 12 additions / 12 deletions

Summary

Automated lockfile maintenance refreshing 4 transitive npm dependencies of tekton-lint:

Package Old Version New Version Notes
fastq 1.19.1 1.20.1 Minor bump
lodash 4.17.21 4.18.1 Security release — patches prototype pollution (GHSA-f23m-r3pf-42rh) and code injection via template imports (CVE-2026-4800)
picomatch 2.3.1 2.3.2 Security release — patches CVE-2026-33671 and CVE-2026-33672
yaml 1.10.2 1.10.3 Patch bump

Security Assessment

  • ✅ All resolved URLs point to the official npm registry (registry.npmjs.org)
  • ✅ All integrity hashes are valid sha512 format
  • lodash 4.18.1 is a verified legitimate release (Sovereign Tech Agency-funded maintenance resumed in 2026); this update patches known CVEs
  • picomatch 2.3.2 is a verified security release patching ReDoS vulnerabilities
  • ✅ No dependency confusion, typosquatting, or supply chain anomalies detected
  • ✅ No secrets, injection patterns, hidden Unicode characters, or bidirectional text overrides

Dimensional Coverage

Dimension Result
Security ✅ No findings — supply chain verified, updates patch known CVEs
Correctness ✅ N/A — lockfile-only, no application logic
Intent & coherence ✅ Mechanical change from authorized bot — implicit authorization
Style & conventions ✅ N/A — generated lockfile follows existing format
Documentation ✅ N/A — no code changes requiring doc updates
Cross-repo contracts ✅ N/A — no API surface changes

This lockfile maintenance PR is safe to merge. The lodash and picomatch updates are particularly beneficial as they patch known security vulnerabilities.

Previous run

Looks good to me


Labels: Lock file maintenance PR updating npm dependencies fits the 'dependencies' label.

Previous run (2)

Review

Findings

High

  • [supply chain / dependency integrity] package-lock.json:302 — lodash is being updated from 4.17.21 to 4.18.1. As of mid-2025, lodash 4.17.21 was the latest release and the repository had been largely inactive. However, the current date is June 2026, meaning a legitimate 4.18.x release could have occurred in the intervening year. The version should be verified against the npm registry before merging.
    Remediation: Before merging: (1) Run npm view lodash versions or check https://www.npmjs.com/package/lodash to confirm 4.18.1 is a legitimate release. (2) If it does not exist or was published by an unexpected maintainer, reject this PR. (3) If legitimate, review the changelog before accepting.

Low

  • [supply chain / dependency verification] package-lock.json — The other dependency updates in this PR (fastq 1.19.1 → 1.20.1, picomatch 2.3.1 → 2.3.2, yaml 1.10.2 → 1.10.3) are routine minor/patch bumps from well-maintained packages. These are normal lock file maintenance updates produced by Renovate.

Labels: PR contains a dependency version bump that requires manual verification for supply chain integrity

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies branch from 976122f to 4cf619c Compare July 3, 2026 02:18
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:22 AM UTC · Completed 2:29 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed their stale review July 3, 2026 02:29

Superseded by updated review

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge dependencies Pull requests that update a dependency file labels Jul 3, 2026
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/lock-file-maintenance-npm-dependencies branch from 4cf619c to 86252df Compare July 10, 2026 04:45
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 4:46 AM UTC · Completed 4:54 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file main Possible security concern ready-for-merge All reviewers approved — ready to merge renovate size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants