Q2 2026 dependency upgrades: axios 1.x, knex 3, jest 30, nock 14#469
Merged
Conversation
… routine quaterly dependency upgrades
- Transitive (lockfile only): lodash 4.17.23 → 4.18.1, flatted 3.3.3 → 3.4.2, path-to-regexp 8.3.0 → 8.4.2, plus pg's internals (pg-connection-string, pg-pool, pg-protocol)
…^0.31 -> ^1.15.2. Lockfile-only update. Resolves PR ripple#445. build(deps): bump knex 2.5.1 -> 3.2.9 PR ripple#451. Major version (2 -> 3). Salient changes / call-site impact: - knex 3 drops Node 16/18 support (we run Node 25, fine) - Migration timestamp format changed (existing migrations unaffected; only new migrations differ) - Stricter TypeScript types for QueryBuilder - Knex.QueryBuilder and knex(config) APIs used by src/shared/database/utils.ts and src/connection-manager/chains.ts are unchanged on the surface; tsc --noEmit passes clean No code changes required. Pinned (no caret) to match pg's pinning style. build(deps): bump axios ^0.31.0 -> ^1.15.2 PR ripple#466. Major version (0.x -> 1.x). Salient changes / call-site impact: - axios 1.x is largely backward compatible at the API surface; the public types AxiosRequestConfig, AxiosInstance, AxiosError and the methods axios.get/post/create/(config) used by this project remain unchanged - Internal AxiosRequestConfig is split into AxiosRequestConfig (input) vs InternalAxiosRequestConfig (post-merge). Our usage in src/shared/utils/index.ts (line 128) is input-side only and continues to typecheck cleanly - Default responseType remains 'json' but axios 1 throws on non-JSON bodies when responseType is unset; current callers pass JSON only No code changes required.
health.test.ts: Do not use async methods inside forEach, forEach does not wait for the async method to complete crawler.test.ts: Do not stack nock interceptors, instead use them one after the another coupled with nock.clean(). This commit is aimed at rectifying the flaky tests on the Github CI
fix: Enhance the guardrails around the usage of nocks. If nocks are unused toward the end of the test, report them as error. This commit also makes judicious use of nocks so that developers gain a better understanding of the crawl behavior
ckeshava
changed the title
axios, maxmind dependencies
ckeshava
changed the title
kuan121
reviewed
Apr 29, 2026
…ated with the set of prompts. These prompts were borrowed/modified from XRPLF/xrpl.js repository routine package updates in package-lock file
…ps install and scrub artifactory URLs `npm install --legacy-peer-deps` during the batch-deps upgrade pruned ~25 transitives that @xrplf/eslint-config@2 brings in (eslint-plugin-jsx-a11y, eslint-plugin-react, eslint-plugin-react-hooks, aria-query, axe-core, axobject-query, jsx-ast-utils, array.prototype.findlast, es-iterator-helpers, and friends). CI uses strict `npm ci` which detected the mismatch and refused with "Missing: <pkg>@<ver> from lock file" across all 25 entries plus version drifts on call-bind (1.0.8→1.0.9) and es-abstract (1.24.1→1.24.2). Reset the lockfile to HEAD and re-applied the targeted transitive bumps with `npm update follow-redirects bn.js --package-lock-only` (no legacy-peer-deps), which preserves the full transitive tree under strict resolution. Also rewrote the `resolved` URLs from artifactory.ops.ripple.com to registry.npmjs.org across 27 entries. The artifactory mirror is a transparent proxy of the public registry, so integrity hashes are unchanged and `npm ci` still validates against the public tarballs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kuan121
reviewed
Apr 30, 2026
|
|
||
| Parse each PR to extract package names and versions. Dependabot PRs come in two formats: | ||
| - **Single-package PRs**: title is `Bump <pkg> from <old> to <new>` — parse from title | ||
| - **Grouped PRs** (e.g. #3266, #3051, #3013): title is `bump <pkg1> and <pkg2>` with no versions — parse from PR body, which contains a structured list of package updates with version ranges |
Comment on lines
+40
to
+45
| If any step fails, **attempt to fix the breaking change with code modifications before rolling back**. Common patterns: | ||
|
|
||
| - **BigNumber.js major bumps**: v10+ throws on invalid input instead of returning NaN. Wrap `new BigNumber(val)` calls in try-catch where the code previously checked for NaN. | ||
| - **ESM-only packages** (e.g., https-proxy-agent): Add transform entries and `transformIgnorePatterns` exclusions in `jest.config.base.js` so Jest can parse ESM imports. | ||
| - **Type compatibility** (e.g., @scure/base 2.0 changing Uint8Array generics): Widen variable type annotations (e.g., `let buf: Uint8Array = ...` instead of `let buf = ...`). | ||
| - **Hoisting breakage** (e.g., webpack-merge): If a transitive dep's major version is shadowed by a different transitive dep's older version, add the correct version as an explicit dependency. |
Contributor
There was a problem hiding this comment.
Are those common patterns applicable to VHS? If not, we can remove them.
kuan121
previously approved these changes
Apr 30, 2026
kuan121
reviewed
May 1, 2026
Match the hyphenated naming convention used by the SKILL `name` field and xrpl.js's equivalent skill folder. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kuan121
approved these changes
May 1, 2026
cybele-ripple
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
High Level Overview of Change
Quarterly batch dependency upgrade for 2026-Q2 (PR #469). Upgrades direct and transitive dependencies, updates the test toolchain (
jest/ts-jest/nock), stabilizes flaky CI tests, and supersedes 28 open Dependabot PRs. No public API or runtime behavior changes.Context of Change
This branch (
upgradeAxiosMaxmind) consolidates this quarter's dependency work into a single PR. It carries seven commits — five direct/transitive upgrades, one test-toolchain bump, and two test-stability fixes that fell out of the toolchain bump:ffe6344axios0.30.x → 0.31.0 to address GHSA-fvcv-3m26-pcqx (DoS via lack of upload size limit). Security-driven minor bump.b90f7c2@maxmind/geoip2-node4.2 → 6.3.4. Routine quarterly bump; major v5 dropped CommonJS-only entry, v6 tightened types — call site atsrc/crawler/locate.tscontinues to typecheck cleanly.d270dbdpg8.16.3 → 8.20.0,ws^8.13 → ^8.20. Transitive (lockfile-only):lodash4.17.23 → 4.18.1,flatted3.3.3 → 3.4.2,path-to-regexp8.3.0 → 8.4.2, pluspg's internals (pg-connection-string,pg-pool,pg-protocol).0be11e0knex2.5.1 → 3.2.9 (major),axios^0.31 → ^1.15.2 (major). Transitive:picomatch. Resolves PRs #445, #451, #466. Major-version notes:knex@3drops Node 16/18 (we run 25);QueryBuildertypes tightened —src/shared/database/utils.tsandsrc/connection-manager/chains.tscontinue to typecheck.axios@1AxiosRequestConfigsplit is input-side only at our call site (src/shared/utils/index.ts:128).5a9a89ejest26 → 30,ts-jest26.5 → 29.4.9. Major bumps both. No test source changes required at this commit; the two flaky-test fixes that follow surfaced under the new runner.de7512ahealth.test.tshadforEachinvoking async assertions —forEachdoes not await, so failures could be swallowed. Replaced with a sequential loop.crawler.test.tswas stackingnockinterceptors instead of clearing between cases — switched to one-at-a-timenock(...).clean()flow. Files touched:test/api/health.test.ts(-13/+0 net 0),test/crawler/crawler.test.ts(+39/-28).39af2d4nock13.5 → 14.0.13. Adds CI guardrail: any nock interceptor left unconsumed at the end of a test now fails the test (previously a silent pass). Test files updated to use nocks judiciously, which doubles as documentation of the crawler's actual HTTP behavior.The lockfile carries one extra change in this PR on top of the seven commits above: an in-place scrub of a stale
artifactory.ops.ripple.comresolvedURL on thefollow-redirectsentry, replaced with the publicregistry.npmjs.orgURL. Integrity hash unchanged (same tarball); no version movement.The eslint-family PRs (
@xrplf/eslint-config@3,eslint@10,@eslint/js@10,globals@17,eslint-plugin-*family) are deferred per the documented yearly preset cadence —@xrplf/eslint-config@^2caps the eslint plugin versions, so those upgrades should be batched together with the next preset bump.The TypeScript-blocked PRs (
typescript@6,typescript-eslint@8.58,@types/node@25,@types/jest@30) are deferred until a coordinated TypeScript major-version migration. See.claude/skills/batch-deps.upgrade/code-changes.mdfor what was investigated and why each was rolled back.Type of Change
Before / After
package.json:axios: ^0.30.x → ^1.15.2knex: 2.5.1 → 3.2.9pg: 8.16.3 → 8.20.0ws: ^8.13.0 → ^8.20.0@maxmind/geoip2-node: ^4.2 → ^6.3.4jest: ^26 → ^30.3.0ts-jest: ^26.5 → ^29.4.9nock: ^13.5 → 14.0.13package-lock.jsonreflects the above plus the transitive bumps listed in commitd270dbdand thefollow-redirects1.15.11 → 1.16.0 /bn.js5.2.2 → 5.2.3 / 4.12.2 → 4.12.3 lockfile-only updates from the final scrub. The artifactoryresolvedURL onfollow-redirectsis also replaced with the public registry URL.Source: no changes.
Tests:
test/api/health.test.tsandtest/crawler/crawler.test.tsupdated for nock v14's stricter unconsumed-interceptor enforcement and to remove aforEach/async footgun.Test Plan
npm run build— passesnpm run lint:ci— passesnpm test— 45 of 45 tests pass under jest@30 / ts-jest@29 / nock@14 with the new unconsumed-interceptor guardrailcrawler.test.tsandhealth.test.ts20× locally — no flakes afterde7512aSuperseded Dependabot PRs
d270dbd)^1.15.2via0be11e0)no-unnecessary-type-assertionrule conflicts with knexanycasting; produces 9 lint errors with no clean autofix)@xrplf/eslint-config@^2per yearly preset cadence)0be11e0)jest@^30.3.0already on branch via5a9a89e(Resolved);@types/jest@30Skipped (incompatible withtypescript@4.9— pullsjest-mock@30'sDisposablefromesnext.disposablelib)@xrplf/eslint-config@^2requireseslint@^9)d270dbd)Symbol.dispose; pinnedtypescript@4.9is incompatible)5a9a89e)0be11e0lands at 3.2.9)d270dbd)39af2d4lands at 14.0.13)no-unsafe-*lint errors and required tsconfig overhauls; defer until a coordinated TypeScript migration)d270dbd)0be11e0)d270dbd)b90f7c2)5a9a89ejest+ts-jest commit)Closing instructions
After merging, close the following superseded PRs (Skipped ones remain open for future handling): #467, #466, #462, #461 (only the
jesthalf — the@types/jesthalf is Skipped; close once the grouped PR can be split, otherwise leave open), #458, #455, #451, #450, #449, #446, #445, #443, #468, #436, #405, #247.The following PRs were Skipped and should remain open so Dependabot keeps them rebased:
@xrplf/eslint-configpreset bump