chore(deps): bump transitive dependencies to latest patched versions#456
Conversation
Bump concurrent-ruby to 1.3.7 (root + with-notifications) and activesupport to 7.2.3.1 (with-notifications). Also generated the missing with-notifications/Gemfile.lock (never committed) and lifted its Gemfile's `concurrent-ruby < 1.3.4` pin to `>= 1.3.7`: that pin was an emergency workaround for a logger-require regression in 1.3.5 that broke activesupport outside Rails, but this Gemfile already declares `gem 'logger'` explicitly, which covers the same gap.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Why?
Several transitive dependencies across the root Yarn workspace, the expo-example and with-notifications example apps, and both Ruby lockfiles were behind their latest releases. All affected packages are development/build tooling or example-app dependencies — the published library has no runtime dependencies, so nothing here affects SDK consumers. (
examples/example/e2eis intentionally left untouched in this PR.)How?
Lockfile-level bumps to each package's latest patched version: in-range refreshes where the newer version already satisfies dependents, otherwise range-scoped Yarn
resolutions/pnpm.overridesso each major line is bumped in-line without forcing consumers across majors. Ruby gems updated viabundle lock --update.Decisions
uuid→11.1.1,serialize-javascript→7.0.5,fast-xml-parser→5.7.0.examples/with-notifications/Gemfilehad aconcurrent-ruby < 1.3.4pin (upstream template workaround for a logger-require regression); lifted to>= 1.3.7since the Gemfile already declaresgem 'logger'. Its previously-uncommittedGemfile.lockis now generated and committed;BUNDLED WITHmoves 2.1.4 → 2.5.11 in both lockfiles.Generated with Claude Code