Bump @rollup/rollup-linux-x64-gnu from 4.60.1 to 4.60.2 in the npm-production group#30
Conversation
Bumps the npm-production group with 1 update: [@rollup/rollup-linux-x64-gnu](https://github.com/rollup/rollup). Updates `@rollup/rollup-linux-x64-gnu` from 4.60.1 to 4.60.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.60.1...v4.60.2) --- updated-dependencies: - dependency-name: "@rollup/rollup-linux-x64-gnu" dependency-version: 4.60.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b410ad3. Configure here.
| "@actions/core": "^3.0.0", | ||
| "@actions/exec": "^3.0.0" | ||
| "@actions/exec": "^3.0.0", | ||
| "@rollup/rollup-linux-x64-gnu": "4.60.2" |
There was a problem hiding this comment.
Optional dependency incorrectly added to production dependencies in lockfile
Medium Severity
@rollup/rollup-linux-x64-gnu is incorrectly listed in the lockfile's root dependencies (pinned at 4.60.2) in addition to optionalDependencies (^4.60.2). The package.json only declares it in optionalDependencies. This is a known npm lockfile bug (npm/cli#7530) where updating an optional dependency causes it to leak into the production dependencies section. This mismatch between package.json and the lockfile could cause unexpected install behavior, particularly with npm ci on non-Linux-x64 platforms using older npm versions.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit b410ad3. Configure here.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="package-lock.json">
<violation number="1" location="package-lock.json:15">
P2: `@rollup/rollup-linux-x64-gnu` has leaked into the lockfile's root `dependencies` section (pinned at `4.60.2`) in addition to being correctly listed in `optionalDependencies`. The `package.json` only declares it as optional. This is a known npm lockfile bug ([npm/cli#7530](https://github.com/npm/cli/issues/7530)) triggered when updating optional dependencies. On non-Linux-x64 platforms, `npm ci` may fail because it sees the package as a required production dependency that cannot be installed. Run `npm install` again to regenerate a correct lockfile, or manually remove the entry from the `dependencies` block.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| "@actions/core": "^3.0.0", | ||
| "@actions/exec": "^3.0.0" | ||
| "@actions/exec": "^3.0.0", | ||
| "@rollup/rollup-linux-x64-gnu": "4.60.2" |
There was a problem hiding this comment.
P2: @rollup/rollup-linux-x64-gnu has leaked into the lockfile's root dependencies section (pinned at 4.60.2) in addition to being correctly listed in optionalDependencies. The package.json only declares it as optional. This is a known npm lockfile bug (npm/cli#7530) triggered when updating optional dependencies. On non-Linux-x64 platforms, npm ci may fail because it sees the package as a required production dependency that cannot be installed. Run npm install again to regenerate a correct lockfile, or manually remove the entry from the dependencies block.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At package-lock.json, line 15:
<comment>`@rollup/rollup-linux-x64-gnu` has leaked into the lockfile's root `dependencies` section (pinned at `4.60.2`) in addition to being correctly listed in `optionalDependencies`. The `package.json` only declares it as optional. This is a known npm lockfile bug ([npm/cli#7530](https://github.com/npm/cli/issues/7530)) triggered when updating optional dependencies. On non-Linux-x64 platforms, `npm ci` may fail because it sees the package as a required production dependency that cannot be installed. Run `npm install` again to regenerate a correct lockfile, or manually remove the entry from the `dependencies` block.</comment>
<file context>
@@ -11,7 +11,8 @@
"@actions/core": "^3.0.0",
- "@actions/exec": "^3.0.0"
+ "@actions/exec": "^3.0.0",
+ "@rollup/rollup-linux-x64-gnu": "4.60.2"
},
"devDependencies": {
</file context>
|
Looks like @rollup/rollup-linux-x64-gnu is updatable in another way, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/npm-production-cdb27aad53
branch
Bumps the npm-production group with 1 update: @rollup/rollup-linux-x64-gnu.
Updates
@rollup/rollup-linux-x64-gnufrom 4.60.1 to 4.60.2Release notes
Sourced from
@rollup/rollup-linux-x64-gnu's releases.Changelog
Sourced from
@rollup/rollup-linux-x64-gnu's changelog.Commits
a6be82b4.60.25e6fb9ffix: reset variable render names between outputs in the same generate (#6350)7542834chore: remove cross-env from devDeps (#6358)1fa79d0chore(deps): update cross-platform-actions/action action to v1 (#6352)819332echore(deps): update dependency lru-cache to v11 (#6353)fd464a9chore(deps): lock file maintenance (#6356)e6d2ff9chore(deps): lock file maintenance (#6355)32e8517chore(deps): update minor/patch updates (#6351)1d5bcb4chore(deps): lock file maintenance (#6354)f58d278fix(deps): update swc monorepo (major) (#6348)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions