Skip to content

chore: apply non-breaking dependency updates from open dependabot PRs#9954

Merged
asheshv merged 3 commits into
masterfrom
chore/deps-2026-05
May 20, 2026
Merged

chore: apply non-breaking dependency updates from open dependabot PRs#9954
asheshv merged 3 commits into
masterfrom
chore/deps-2026-05

Conversation

@asheshv
Copy link
Copy Markdown
Contributor

@asheshv asheshv commented May 20, 2026
edited by coderabbitai Bot
Loading

Summary

Applies non-breaking dependency updates surfaced by open dependabot PRs (pgadmin-org/pgadmin4). Major-version bumps are deferred.

Python

JavaScript (web/package.json, web/yarn.lock)

Electron runtime (runtime/package.json, runtime/yarn.lock)

Skipped (major-version, deferred to a future minor)

Test plan

  • yarn run test:js-once → 140 / 0 / 0 suites, 824 / 0 / 0 tests
  • yarn run linter in /web → clean (silent)
  • yarn run linter in /runtime → clean (silent)
  • pycodestyle project-wide → 0 violations
  • Each new version cross-checked against the corresponding dependabot PR diff via gh pr diff
  • Each Python bump cross-checked against PyPI requires_python to preserve Python 3.9 support

Summary by CodeRabbit

  • Chores
    • Updated several dependency versions across the project: google-auth-oauthlib (Python-version specific pins), eslint, axios, requests (and requests[security]), @tanstack/react-query, ip-address, postcss, selenium, and bumped the web package manager version.

Review Change Stack

asheshv added 2 commits May 20, 2026 13:12
@asheshv
chore: Apply non-breaking dependency updates from open dependabot PRs
479eb8b 
Python:
- requirements.txt: google-auth-oauthlib 1.3.1 -> 1.4.0 (#9929/#9931)
- tools/requirements.txt: requests >=2.33.1 -> >=2.34.2 on
  python_version > '3.9' (#9943/#9944)
- web/regression/requirements.txt: selenium 4.43.0 -> 4.44.0 (#9946)

JavaScript (web/package.json, web/yarn.lock):
- postcss 8.5.12 -> 8.5.14 (#9874/#9889)
- @tanstack/react-query 5.100.5 -> 5.100.9 (#9878)
- ip-address 10.1.0 -> 10.1.1 (#9918)

Electron runtime (runtime/package.json, runtime/yarn.lock):
- axios 1.16.0 -> 1.16.1 (#9948)
- eslint 10.3.0 -> 10.4.0 (#9947)

Skipped (genuine breaking changes, deferred to a future minor):
- @mui/material 7 -> 9 (#9843)
- @mui/x-date-pickers 8 -> 9 (#9888)
- cryptography 47.0.* -> 48.0.* (#9926/#9932)
- paramiko 3.5.1 -> 5.0.0 (#9927/#9930)
- electron 41.5.0 -> 42.1.0 (#9945)

Transitive-only dependabot PRs not surfaced as direct edits (svelte,
devalue, fast-uri, @babel/plugin-transform-modules-systemjs) were
naturally re-resolved during yarn install where they fell within the
existing semver ranges.

Verified in an isolated worktree:

  - jest:        140/0/0 suites, 824/0/0 tests
  - eslint:      clean (web + runtime, both silent)
  - pycodestyle: 0 violations project-wide

axios 1.16.1 is a patch release (proxy/CORS fixes); selenium 4.44.0
is a minor patch within the 4.x line; eslint 10.4.0 is a non-breaking
minor (only adds @eslint/config-helpers 0.6.0 transitively).
google-auth-oauthlib 1.4.0 and requests 2.34.2 are non-breaking
upstream minor/patch releases.
@asheshv
fix(deps): pin google-auth-oauthlib to 1.3.1 on Python 3.9
89f55a8 
google-auth-oauthlib 1.4.0 requires Python >=3.10, which breaks
installs on Python 3.9. Add a python_version gate so 3.9 stays on
1.3.1 (the last release supporting 3.9) while newer interpreters
track 1.4.x.

This mirrors the existing boto3 1.42.*/1.43.* split.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cf5b8f9a-927e-4994-9ddf-10224dea0c8f

📥 Commits

Reviewing files that changed from the base of the PR and between 89f55a8 and e21828a.

⛔ Files ignored due to path filters (1)
  • web/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • web/package.json

Walkthrough

This PR updates dependency versions across five manifest files: Python manifests gain version-conditional pins and request bumps; runtime and web JavaScript manifests receive minor package bumps and a packageManager update; web regression Selenium is also bumped.

Changes

Dependency Version Updates

Layer / File(s) Summary
Backend Python dependencies
requirements.txt, tools/requirements.txt		 google-auth-oauthlib transitions to Python-version-conditional pins (1.3.1 for Python ≤3.9, 1.4.0 for >3.9); requests and requests[security] are bumped to >=2.34.2 for Python >3.9 while keeping >=2.32.5,<2.33 for ≤3.9.
Frontend and runtime JavaScript dependencies
runtime/package.json, web/package.json		 eslint bumped to ^10.4.0 and axios to ^1.16.1 in runtime; frontend packages updated: @tanstack/react-query ^5.100.9, ip-address ^10.1.1, postcss ^8.5.14; packageManager bumped to yarn@4.15.0.
Testing dependencies
web/regression/requirements.txt		 Selenium regression test driver bumped to 4.44.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: applying non-breaking dependency updates from dependabot PRs across multiple package managers and files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/deps-2026-05

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@asheshv
chore(deps): bump yarn packageManager pin to 4.15.0
e21828a 
CI runs yarn 4.15.0 with hardened mode on public PRs, which refuses
to migrate the lockfile metadata version from 9 (yarn 4.14.x) to 10
(yarn 4.15.x). Master passes today because hardened mode is PR-only,
but every new PR with a lockfile change trips YN0028:

  -  version: 9
  +  version: 10
  The lockfile would have been modified by this install, which is
  explicitly forbidden.

Bump the packageManager pin in web/package.json from yarn@4.14.0 to
yarn@4.15.0 and regenerate web/yarn.lock so its __metadata.version
is 10 — matching what CI's yarn would produce.

jest still passes (140/824).
@asheshv asheshv merged commit aad2dfd into master May 20, 2026
50 checks passed
@asheshv asheshv deleted the chore/deps-2026-05 branch May 20, 2026 09:23
This was referenced May 20, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
asheshv added a commit that referenced this pull request May 20, 2026
@asheshv
chore(deps): bump transitive lockfile resolutions surfaced by dependa…
3b801fc 
…bot (#9955)

Pure lockfile-only updates — no package.json changes. Dependabot
surfaced these as separate PRs because they sit below pgAdmin's
direct deps in the resolution tree, so the manifest-level bumps
applied in #9954 did not pull them along.

web/yarn.lock:
- @babel/plugin-transform-modules-systemjs 7.29.0 -> 7.29.4 (#9923)
- devalue                                  5.7.0  -> 5.8.1  (#9937)
- fast-uri                                 3.1.0  -> 3.1.2  (#9922)
- svelte                                   5.55.1 -> 5.55.8 (#9938)
  (5.55.8 supersedes the 5.55.7 dependabot was tracking when the PR
   opened; both are within the same ^5.0.0 range.)

runtime/yarn.lock:
- fast-uri                                 3.1.0  -> 3.1.2  (#9924)

All resolutions stay within their existing semver ranges declared by
the parent packages — no manifest constraints touched. Refreshed via
`yarn up -R <pkg>` in each workspace.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asheshv