chore: follow-up transitive dep refresh in mastra and nextjs e2e scenarios#2068
Merged
Conversation
Adds a per-scenario \`pnpm.overrides\` block covering the transitive deps flagged by Dependabot (\`hono\`, \`fast-uri\`, \`ip-address\`, \`ws\`, \`uuid\`, \`qs\`). Uses ranged overrides so only the vulnerable subrange is bumped, and refreshes the lockfile incrementally so unrelated transitives (zod, etc.) keep their existing pins and the recorded cassettes stay valid. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rrides Adds a per-scenario \`pnpm.overrides\` block bumping the protobufjs and @protobufjs/utf8 transitives (pulled in via @vercel/otel's @opentelemetry/otlp-transformer chain). Incremental refresh preserves unrelated pins so the structural span-tree snapshots stay stable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors the postcss override already applied to the sibling next-16 directory. Bumps postcss to ^8.5.10 (patched). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stephen Belanger (Qard)
requested review from
Abhijeet Prasad (AbhiPrasad) and
Luca Forstner (lforst)
and removed request for
Abhijeet Prasad (AbhiPrasad)
Stephen Belanger (Qard)
added
the
dependencies
Luca Forstner (lforst)
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #2053. Three more e2e scenarios pick up the same per-scenario
pnpm.overridespattern:mastra-instrumentation— new scenario added after chore: refresh transitive deps via tightened pnpm overrides #2053 merged, didn't have overrides yet. Bumpshono,fast-uri,ip-address,ws,uuid,qstransitives.nextjs-instrumentation— skipped in chore: refresh transitive deps via tightened pnpm overrides #2053 under the next-14 scope decision; now picks up the protobufjs/@protobufjs/utf8 transitive bumps (pulled via@vercel/otel's@opentelemetry/otlp-transformerchain). Direct-nextalerts were dismissed separately and stay dismissed.nextjs-auto-instrumentation/versions/next-14— mirrors thepostcssoverride already applied to the siblingnext-16directory.Same conventions as #2053:
pkg@<patched: ^patched) so only the vulnerable subrange is bumped.rm node_modules && pnpm install --ignore-workspace) — preserves unrelated transitive pins so cassettes / structural snapshots stay valid.Three commits, one per scenario. Build passes locally (
pnpm run build— 9/9 turbo tasks).Commits
chore: refresh mastra-instrumentation lockfile and add pnpm overrideschore: refresh nextjs-instrumentation lockfile and add protobufjs overrideschore: add postcss override to next-14 auto-instrumentation scenarioTest plan
pnpm run buildpasses (turbo, 9/9 successful)pnpm install --frozen-lockfile --ignore-workspacepasses in each touched scenario🤖 Generated with Claude Code