Skip to content

Update ui deps sync#694

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/ui-deps-sync
Open

Update ui deps sync#694
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/ui-deps-sync

Conversation

@renovate

@renovate renovate Bot commented Oct 17, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@openzeppelin/confidential-contracts (source) ^0.3.1^0.5.1 age adoption passing confidence
@rollup/plugin-commonjs (source) ^28.0.8^28.0.9 age adoption passing confidence
@rollup/plugin-replace (source) ^6.0.2^6.0.3 age adoption passing confidence
@rollup/plugin-typescript (source) ^12.1.4^12.3.0 age adoption passing confidence
@types/node (source) ^20.19.21^20.19.43 age adoption passing confidence
@upstash/redis (source) 1.35.61.38.0 age adoption passing confidence
@upstash/redis (source) 1.35.61.38.0 age adoption passing confidence
autoprefixer ^10.4.21^10.5.2 age adoption passing confidence
jszip 3.6.03.10.1 age adoption passing confidence
postcss (source) ^8.5.6^8.5.16 age adoption passing confidence
semver ^7.7.3^7.8.5 age adoption passing confidence
tailwindcss (source) ^3.4.18^3.4.19 age adoption passing confidence

Release Notes

OpenZeppelin/openzeppelin-confidential-contracts (@​openzeppelin/confidential-contracts)

v0.5.1

Compare Source

  • BatcherConfidential: Initialize the zero value before unwrapping when dispatching a batch with no contributions.

v0.5.0

Compare Source

Token
  • ERC7984: Remove revert on transfer where the sender has an uninitialized balance. (#​357)
  • ERC7984Hooked: Add an ERC7984 extension that calls external hooks before and after transfer of confidential tokens. (#​332)
  • ERC7984HookModule: Add a base hook module for building modules compatible with ERC7984Hooked. (#​351)
  • ERC7984BalanceCapHookModule: Add an example hook module that enforces a confidential balance cap for the token. (#​351)
  • ERC7984HolderCapHookModule: Add an example hook module that enforces a maximum number of holders for the token. (#​351)
  • ERC7984Rwa: Always call _update on transfers (even force). Bypass restriction via restriction override. (#​339)
  • ERC7984Rwa: Add token recovery functionality. (#​341)
  • ERC7984Rwa: Bypass recipient on RWA force transfer in addition to sender. (#​372)
  • ERC7984Rwa: Block overrides of Context functions (_msgSender(), _msgData()). (#​382)
  • IERC7984Rwa: Add token recovery function and event. (#​341)
Finance
  • BatcherConfidential: Revert if underlying toToken balance changes during a partial route execution. (#​385)
Utils
  • FHESafeMath: Add saturatingAdd and saturatingSub functions. (#​341)
  • HandleAccessManager: Return false by default in _validateHandleAllowance. (#​338)

v0.4.1

Compare Source

Bug Fixes
  • BatcherConfidential: Enable decryption of the joinedAmount in BatcherConfidential. (#​387)

v0.4.0

Compare Source

  • Migrate @fhevm/solidity dependency to 0.11.1 (#​311)
  • Upgrade openzeppelin/contracts and openzeppelin/contracts-upgradeable to v5.6.1 (#​314)
Token
  • ERC7984ERC20Wrapper: use a bytes32 unwrap request identifier instead of identifying batches by the euint64 unwrap amount. (#​326)
  • ERC7984ERC20Wrapper: Support ERC-165 interface detection on ERC7984ERC20Wrapper. (#​267)
  • ERC7984ERC20Wrapper: return the amount of wrapped token sent on wrap calls. (#​307)
  • ERC7984ERC20Wrapper: return unwrapped amount on unwrap calls (#​288)
  • ERC7984ERC20Wrapper: revert on wrap if there is a chance of total supply overflow. (#​268)
  • ERC7984Restricted, ERC7984Rwa: Rename isUserAllowed to canTransact (#​291)
Finance
  • BatcherConfidential: A batching primitive that enables routing between two ERC7984ERC20Wrapper contracts via a non-confidential route. (#​293)
Utils
  • HandleAccessManager: change _validateHandleAllowance to return a boolean and validate it. (#​303)
rollup/plugins (@​rollup/plugin-commonjs)

v28.0.9

2025-10-24

Bugfixes
  • fix: handle node: builtins with strictRequires: auto (#​1930)
rollup/plugins (@​rollup/plugin-replace)

v6.0.3

2025-10-29

Bugfixes
  • fix: update delimiters to respect valid js identifier chars (#​1938)
rollup/plugins (@​rollup/plugin-typescript)

v12.3.0

2025-10-23

Features
  • feat: expose latest Program to transformers in watch mode (#​1923)

v12.2.0

2025-10-22

Features
  • feat: process .js when allowJs is enabled (#​1920)
upstash/redis-js (@​upstash/redis)

v1.38.0

Compare Source

Minor Changes
  • c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a
    result, mixed read/write Promise.all batches may now be split across multiple
    pipeline HTTP requests instead of a single request, and read-after-write
    ordering may no longer be preserved within those mixed batches.

v1.37.0

Compare Source

Minor Changes
Patch Changes

v1.36.4

Compare Source

What's Changed

New Contributors

Full Changelog: upstash/redis-js@v1.36.3...v1.36.4

v1.36.3

Compare Source

What's Changed

Full Changelog: upstash/redis-js@v1.36.2...v1.36.3

v1.36.2

Compare Source

What's Changed

Full Changelog: upstash/redis-js@v1.36.1...v1.36.2

v1.36.1

Compare Source

What's Changed

Full Changelog: upstash/redis-js@v1.36.0...v1.36.1

v1.36.0

Compare Source

What's Changed

Full Changelog: upstash/redis-js@v1.35.8...v1.36.0

v1.35.8

Compare Source

What's Changed

Full Changelog: upstash/redis-js@v1.35.7...v1.35.8

v1.35.7

Compare Source

What's Changed

New Contributors

Full Changelog: upstash/redis-js@v1.35.6...v1.35.7

postcss/autoprefixer (autoprefixer)

v10.5.2

Compare Source

  • Moved -webkit-fill-available before -moz-available, so Firefox
    will use -webkit- version which is closer to stretch.

v10.5.1

Compare Source

v10.5.0

Compare Source

  • Added mask-position-x and mask-position-y support (by @​toporek).

v10.4.27

Compare Source

  • Removed development key from package.json.

v10.4.26

Compare Source

  • Reduced package size.

v10.4.25

Compare Source

  • Fixed broken gradients on CSS Custom Properties (by @​serger777).

v10.4.24

Compare Source

  • Made Autoprefixer a little faster (by @​Cherry).

v10.4.23

Compare Source

v10.4.22

Compare Source

  • Fixed stretch prefixes on new Can I Use database.
  • Updated fraction.js.
Stuk/jszip (jszip)

v3.10.1

Compare Source

  • Add sponsorship files.
    • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
  • Consolidate metadata types and expose OnUpdateCallback #​851 and #​852
  • use const instead var in example from README.markdown #​828
  • Switch manual download link to HTTPS #​839

Internals:

v3.10.0

Compare Source

  • Change setimmediate dependency to more efficient one. Fixes #​617 (see #​829)
  • Update types of currentFile metadata to include null (see #​826)

v3.9.1

Compare Source

  • Fix recursive definition of InputFileFormat introduced in 3.9.0.

v3.9.0

Compare Source

  • Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #​752)
  • Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #​722)
  • Add types for generateInternalStream (see #​774)

v3.8.0

Compare Source

  • Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

  • Fix build of dist files.
    • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

  • Fix: Use a null prototype object for this.files (see #​766)
    • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.
postcss/postcss (postcss)

v8.5.16

Compare Source

v8.5.15

Compare Source

  • Fixed declaration parsing performance (by @​homanp).

v8.5.14

Compare Source

v8.5.13

Compare Source

  • Fixed postcss-scss commend regression.

v8.5.12

Compare Source

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

  • Fixed nested brackets parsing performance (by @​offset).

v8.5.10

Compare Source

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

  • Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

  • Fixed Processor#version.

v8.5.7

Compare Source

  • Improved source map annotation cleaning performance (by CodeAnt AI).
npm/node-semver (semver)

v7.8.5

Compare Source

Bug Fixes

v7.8.4

Compare Source

Bug Fixes

v7.8.3

Compare Source

Bug Fixes
Chores

v7.8.2

Compare Source

Bug Fixes

v7.8.1

Compare Source

Bug Fixes

v7.8.0

Compare Source

Features
Bug Fixes
Documentation
Chores

v7.7.4

Compare Source

Bug Fixes
Documentation
Dependencies
Chores
tailwindlabs/tailwindcss (tailwindcss)

v3.4.19

Compare Source

Fixed
  • Don’t break sibling-*() functions when used inside calc(…) (#​19335)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner October 17, 2025 02:41
@socket-security

socket-security Bot commented Oct 17, 2025
edited
Loading

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
Potential code anomaly (AI signal): npm tailwindcss is 65.0% likely to have a medium risk anomaly

Notes: The code appears to be a legitimate PostCSS/Tailwind nesting integration that handles Tailwind-like at-rules and converts them to standard CSS constructs for downstream processing. The dynamic plugin loading and private API usage are the primary non-ideal aspects but are documented and controlled within the plugin design. Overall, the security risk is moderate due to potential arbitrary code execution from dynamic requires if misused, but there is no evidence of data exfiltration or malicious payloads in this fragment.

Confidence: 0.65

Severity: 0.54

From: packages/ui/package.jsonnpm/tailwindcss@3.4.19

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tailwindcss@3.4.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm tailwindcss is 68.0% likely to have a medium risk anomaly

Notes: The code is a targeted, low-risk utility for locating a config file referenced by a PostCSS @config at-rule. It enforces single usage, requires a quoted path, resolves relative to the source file, and ensures the file exists before returning the path or null. No malicious behavior or external data leakage is evident in this fragment, though error messages could be toned for production usage.

Confidence: 0.68

Severity: 0.50

From: packages/ui/package.jsonnpm/tailwindcss@3.4.19

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tailwindcss@3.4.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai

coderabbitai Bot commented Oct 17, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Walkthrough

Package.json devDependencies updated: @types/node from ^20.19.21 to ^20.19.22 and rollup from ^4.52.4 to ^4.52.5. These are patch version updates with no runtime behavior changes.

Changes

Cohort / File(s) Summary
DevDependency version updates
packages/ui/package.json		 @types/node: ^20.19.21 → ^20.19.22; rollup: ^4.52.4 → ^4.52.5

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Suggested reviewers

  • ericglau
  • collins-w
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title "Update ui deps sync" is directly related to the changeset, which updates dependencies in the packages/ui/package.json file (@types/node and rollup versions). The title accurately indicates the primary change involves updating UI package dependencies, and a teammate scanning the commit history would understand this is about dependency updates for the UI package. While the term "sync" is somewhat informal and could be more explicit about which dependencies are affected, the title is sufficiently clear and specific to describe the main change.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
Description check ✅ Passed The description is related to dependency updates in the UI package, even though it lists more packages than were changed.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/ui-deps-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@renovate renovate Bot changed the title Update dependency @types/node to ^20.19.22 Update ui deps sync Oct 18, 2025
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 6 times, most recently from 48f60b5 to 3a00523 Compare October 24, 2025 14:45
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 8 times, most recently from 8c719e6 to e42c08d Compare November 3, 2025 20:14
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 12 times, most recently from c81f512 to 2acb5f1 Compare November 12, 2025 04:13
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 11 times, most recently from fe2dd45 to 0fd8ede Compare December 15, 2025 13:19
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 2 times, most recently from 684b39e to 04ee6c9 Compare December 20, 2025 13:58
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 2 times, most recently from 2992cb2 to 83401de Compare December 31, 2025 14:05
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 6 times, most recently from c61a046 to 482fee9 Compare January 10, 2026 11:30
@renovate renovate Bot force-pushed the renovate/ui-deps-sync branch 7 times, most recently from c613545 to f5e265c Compare January 19, 2026 11:00
@socket-security

socket-security Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​openzeppelin/​confidential-contracts@​0.5.1801008897100
Updated@​types/​node@​20.19.21 ⏵ 20.19.43100 +110081 +196100
Updated@​rollup/​plugin-replace@​6.0.2 ⏵ 6.0.3100 +110010085100
Updated@​rollup/​plugin-typescript@​12.1.4 ⏵ 12.3.09910010086100
Updatedtailwindcss@​3.4.18 ⏵ 3.4.1998 +110087 +198100
Updatedautoprefixer@​10.4.21 ⏵ 10.5.2100 +110088 -392100
Updated@​rollup/​plugin-commonjs@​28.0.8 ⏵ 28.0.999 +110010091100
Addedsemver@​7.8.510010010094100
Updated@​upstash/​redis@​1.35.6 ⏵ 1.38.098 +1100100100 +1100
Addedpostcss@​8.5.16100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants