Skip to content

Bump the npm_and_yarn group across 2 directories with 3 updates#518

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/indexer/npm_and_yarn-effff4c025
Open

Bump the npm_and_yarn group across 2 directories with 3 updates#518
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/packages/indexer/npm_and_yarn-effff4c025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 11, 2025
edited
Loading

Bumps the npm_and_yarn group with 2 updates in the /packages/indexer directory: ai and zx.
Bumps the npm_and_yarn group with 1 update in the /packages/web directory: js-yaml.

Updates ai from 4.3.19 to 5.0.52

Commits
  • 63d5f66 Version Packages (#8895)
  • 930399b Backport: fix(ai): download files when intermediate file cannot be downloaded...
  • 7ca78f1 Backport: feat(provider/gateway): Add new Qwen models to Gateway model string...
  • 1cfc209 Backport: feat(provider/openai): OpenAILanguageModelOptions type (#8858)
  • 347b7ec ci: rename v5.0 branch to release-v*
  • 85909a9 Backport: chore(ai): update test message (#8875)
  • c56822d Backport: fix(ai): update uiMessageChunkSchema to satisfy the `UIMessageChu...
  • 1461adf Backport: chore(examples): remove redundant OpenAI reasoning examples (#8871)
  • 6bd07df Version Packages (#8853)
  • a45d61a ci(release): remove incorrect changeset bump for @ai-sdk/baseten
  • Additional commits viewable in compare view

Updates zx from 8.8.1 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also globby@15.0.0 arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

  1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
  2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

Commits

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 11, 2025
@github-actions
Copy link

github-actions bot commented Dec 11, 2025
edited
Loading

---
Commit: 448b6b5
Preview: https://degov-7nuxbjhaa-itering.vercel.app https://degov-dev.vercel.app
---
Commit: 65c13b8
Preview: https://degov-2ejrzfl9f-itering.vercel.app https://degov-dev.vercel.app
---
Commit: c1eba37
Preview: https://degov-q1eh8bq4s-itering.vercel.app https://degov-dev.vercel.app
---
Commit: 63852ec
Preview: https://degov-rlxi0jrn4-itering.vercel.app https://degov-dev.vercel.app
---
Commit: 47dc977
Preview: https://degov-mrhzfjkp4-itering.vercel.app https://degov-dev.vercel.app
---
Commit: 0061444
Preview: https://degov-mg12b9rvb-itering.vercel.app https://degov-dev.vercel.app

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/packages/indexer/npm_and_yarn-effff4c025 branch 3 times, most recently from 65c13b8 to c1eba37 Compare December 15, 2025 06:44
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/packages/indexer/npm_and_yarn-effff4c025 branch 3 times, most recently from 63852ec to 47dc977 Compare December 19, 2025 07:22
@dependabot
Bump the npm_and_yarn group across 2 directories with 3 updates
0061444 
Bumps the npm_and_yarn group with 2 updates in the /packages/indexer directory: [ai](https://github.com/vercel/ai) and [zx](https://github.com/google/zx).
Bumps the npm_and_yarn group with 1 update in the /packages/web directory: [js-yaml](https://github.com/nodeca/js-yaml).


Updates `ai` from 4.3.19 to 5.0.52
- [Release notes](https://github.com/vercel/ai/releases)
- [Changelog](https://github.com/vercel/ai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/vercel/ai/compare/ai@4.3.19...ai@5.0.52)

Updates `zx` from 8.8.1 to 8.8.5
- [Release notes](https://github.com/google/zx/releases)
- [Commits](google/zx@8.8.1...8.8.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: ai
  dependency-version: 5.0.52
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: zx
  dependency-version: 8.8.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/packages/indexer/npm_and_yarn-effff4c025 branch from 47dc977 to 0061444 Compare December 24, 2025 05:39
@boundless-forest
Copy link
Collaborator

boundless-forest commented Jan 29, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 29, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 00614449b3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

packages/indexer/package.json
"@subsquid/typeorm-store": "^1.5.1",
"@subsquid/util-internal": "^3.2.0",
"ai": "^4.3.19",
"ai": "^5.0.52",
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Align OpenRouter provider with ai v5 SDK

You’ve bumped ai to ^5.0.52 here, but @openrouter/ai-sdk-provider still resolves @ai-sdk/provider 1.1.3 (see packages/indexer/yarn.lock lines 1026–1032), while ai v5 pulls @ai-sdk/provider 2.0.0 (lines 1982–1989). In TextPlus, the OpenRouter model is passed directly into generateObject from ai, so the runtime now mixes two provider interfaces; when AI features run (OPENROUTER_API_KEY set), the model can fail to satisfy the v2 API expected by ai and throw at runtime. Consider upgrading @openrouter/ai-sdk-provider to a v2-compatible release or pinning ai back to v4 to keep a single provider interface.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

Copilot code review Copilot

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boundless-forest