Follow-up to the dependency-alert reduction work (PRs #154–#157). The safe, in-range fixes are done; what remains are advisories whose only fix is a breaking major upgrade, so they need per-service build + test verification rather than an automated bump. Capturing them here.
Infra services (npm)
axios 0.x → 1.x (breaking)
infra/uhrp-server-basic — axios ^0.21.1 (locked 0.21.4)
infra/uhrp-server-cloud-bucket/notifier — axios ^0.24.0 (locked 0.24.0)
Both pin axios 0.x; the advisories are fixed only in 1.x. The 1.x migration changes error/response shapes and header handling — bump, fix call sites, verify build + smoke test. (infra/message-box-server is already on axios 1.13.x.)
firebase-admin / @Google-Cloud chain (breaking)
infra/message-box-server, infra/uhrp-server-cloud-bucket, .../notifier
Advisories in @google-cloud/storage, gaxios, google-gax, teeny-request, retry-request are transitive under firebase-admin / @google-cloud/*. Needs a firebase-admin (and/or @google-cloud/storage) major bump; verify Firestore/Storage usage still works.
wab native/build tooling
infra/wab — tar, node-gyp, sqlite3, cacache, make-fetch-happen, http-proxy-agent, @tootallnate/once
Mostly native-build/dev tooling under sqlite3 / node-gyp. Bump sqlite3 (and node-gyp) and let the chain follow.
Workspace (pnpm-lock.yaml, via pnpm.overrides)
- @libp2p/kad-dht 15 → 16 (runtime, high) —
packages/network/ts-p2p pins ^15.1.10; fix is 16.2.6 (major). Needs a libp2p compatibility check.
- ajv 5 → 6 (dev, medium) — transitive
ajv@5.5.2; fix needs the 5→6 major.
- uuid 8 → 11 (runtime, medium) — transitive
uuid@8.3.2; fix is the 8→11 major.
Context
The safe phases (stale-lockfile removal, protobufjs/jsonpath-plus criticals, infra non-breaking audit-fix, pnpm in-range overrides, dependabot.yml infra coverage) are in PRs #154–#157 plus the Phase 3/4 PRs. These remaining items are deferred here because they carry real breaking-change risk.
Follow-up to the dependency-alert reduction work (PRs #154–#157). The safe, in-range fixes are done; what remains are advisories whose only fix is a breaking major upgrade, so they need per-service build + test verification rather than an automated bump. Capturing them here.
Infra services (npm)
axios 0.x → 1.x (breaking)
infra/uhrp-server-basic— axios^0.21.1(locked 0.21.4)infra/uhrp-server-cloud-bucket/notifier— axios^0.24.0(locked 0.24.0)Both pin axios 0.x; the advisories are fixed only in 1.x. The 1.x migration changes error/response shapes and header handling — bump, fix call sites, verify build + smoke test. (
infra/message-box-serveris already on axios 1.13.x.)firebase-admin / @Google-Cloud chain (breaking)
infra/message-box-server,infra/uhrp-server-cloud-bucket,.../notifierAdvisories in
@google-cloud/storage,gaxios,google-gax,teeny-request,retry-requestare transitive underfirebase-admin/@google-cloud/*. Needs afirebase-admin(and/or@google-cloud/storage) major bump; verify Firestore/Storage usage still works.wab native/build tooling
infra/wab—tar,node-gyp,sqlite3,cacache,make-fetch-happen,http-proxy-agent,@tootallnate/onceMostly native-build/dev tooling under
sqlite3/node-gyp. Bumpsqlite3(andnode-gyp) and let the chain follow.Workspace (pnpm-lock.yaml, via pnpm.overrides)
packages/network/ts-p2ppins^15.1.10; fix is 16.2.6 (major). Needs a libp2p compatibility check.ajv@5.5.2; fix needs the 5→6 major.uuid@8.3.2; fix is the 8→11 major.Context
The safe phases (stale-lockfile removal, protobufjs/jsonpath-plus criticals, infra non-breaking audit-fix, pnpm in-range overrides, dependabot.yml infra coverage) are in PRs #154–#157 plus the Phase 3/4 PRs. These remaining items are deferred here because they carry real breaking-change risk.