Skip to content

chore(deps): consolidate dependabot updates#192

Draft
pcarleton wants to merge 2 commits intomainfrom
paulc/dependabot-rollup
Draft

chore(deps): consolidate dependabot updates#192
pcarleton wants to merge 2 commits intomainfrom
paulc/dependabot-rollup

Conversation

@pcarleton
Copy link
Member

@pcarleton pcarleton commented Mar 23, 2026

Consolidates all 15 open dependabot PRs into one.

Supersedes

Changes

Dependencies

  • zod 3→4 (major) — required code changes, see below
  • @types/node 22→25 (major)
  • @modelcontextprotocol/sdk → 1.27.1
  • tsdown 0.15→0.21 — required build flag change, see below
  • prettier, typescript-eslint, lefthook, @typescript/native-preview → latest
  • eslint kept at v9 (typescript-eslint peer dep doesn't support v10 yet)
  • Regenerated both lockfiles → picks up all transitive CVE fixes (hono, rollup, ajv, qs, flatted, minimatch, express-rate-limit, @hono/node-server, undici)

Code changes (zod v4 migration)

  • ZodError.errorsZodError.issues in src/index.ts
  • .refine() second-arg signature updated in src/schemas.ts
  • everything-server: replaced zod-to-json-schema (broken with zod v4) with the SDK's toJsonSchemaCompat helper which handles v3/v4/v4-mini

Build fix (tsdown 0.21)

  • Added --no-fixed-extension to build script — tsdown 0.21 defaults to .mjs output for type: module packages, but our bin/action.yml/tier-check all reference dist/index.js

GitHub Actions

  • actions/setup-node@v4@v6 in action.yml

Verification

  • ✅ typecheck (tsgo)
  • ✅ eslint
  • ✅ prettier
  • ✅ 86/86 tests passing
  • ✅ build produces working dist/index.js
  • ✅ 0 npm audit vulnerabilities (both root and examples)

@pcarleton
chore(deps): consolidate dependabot updates
4e9cb39 
Bumps all pending dependency updates into one commit:

Root package:
- zod 3.25.76 → 4.3.6 (major)
- @types/node 22 → 25 (major)
- @modelcontextprotocol/sdk 1.26.0 → 1.27.1
- tsdown 0.15.12 → 0.21.4
- prettier 3.6.2 → 3.8.1
- typescript-eslint 8.48.0 → 8.57.1
- lefthook 2.0.2 → 2.1.4
- eslint/@eslint/js → 9.39.4 (kept at v9, typescript-eslint lacks v10 support)
- Regenerated lockfile to pick up transitive security fixes
  (hono, @hono/node-server, express-rate-limit, flatted, rollup,
  minimatch, ajv, qs, undici)

examples/servers/typescript:
- @modelcontextprotocol/sdk → 1.27.1
- Removed zod-to-json-schema (broken with zod v4)
- Added zod ^4 as direct dep
- Regenerated lockfile

GitHub Actions:
- actions/setup-node v4 → v6 in action.yml

Code changes for zod v4:
- ZodError.errors → ZodError.issues (src/index.ts)
- .refine() callback signature updated (src/schemas.ts)
- everything-server: replaced zodToJsonSchema with SDK's
  toJsonSchemaCompat helper (handles zod v3/v4/v4-mini)

Build fix for tsdown 0.21:
- Added --no-fixed-extension to preserve dist/index.js output
  (tsdown 0.21 defaults to .mjs for type:module packages)
@pcarleton
fix: include all platform binaries in lockfile
c179e0a 
The lockfile was generated on macOS which caused npm to only resolve
darwin-arm64 entries for platform-specific optional dependencies
(esbuild, rolldown bindings). This broke npm ci on Linux CI runners.

Regenerated from a clean state to include all 26 esbuild platforms
and all 15 rolldown platform bindings.
@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 23, 2026
edited
Loading

Open in StackBlitz

npx https://pkg.pr.new/@modelcontextprotocol/conformance@192

commit: c179e0a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pcarleton