Skip to content

CCM-11961: Dependabot Upgrades#1001

Merged
ScottFullerton-NHSE merged 26 commits into
releasefrom
feature/CCM-11961-dependabot-upgrades
Sep 22, 2025
Merged

CCM-11961: Dependabot Upgrades#1001
ScottFullerton-NHSE merged 26 commits into
releasefrom
feature/CCM-11961-dependabot-upgrades

Conversation

@ScottFullerton-NHSE
Copy link
Copy Markdown
Contributor

@ScottFullerton-NHSE ScottFullerton-NHSE commented Sep 16, 2025
edited
Loading

Summary

Security Alerts:

Most of the remaining security alerts require a Python Upgrade which is in progress, but has been put on the backlog for sometime now.

Dependency Upgrades:

Reviews Required

  • Dev
  • Test
  • Tech Author
  • Product Owner

Checklist

  • Brief description of work completed, and any technical decisions made as part of the PR
  • PR link added as a comment to the relevant JIRA ticket
  • PR link shared on Slack and/or Teams
  • 2 reviews received
  • Tester approval

dependabot Bot and others added 13 commits January 20, 2025 05:59
@dependabot
Bump sphinx-markdown-builder from 0.6.7 to 0.6.8
f7164a8 
Bumps [sphinx-markdown-builder](https://github.com/liran-funaro/sphinx-markdown-builder) from 0.6.7 to 0.6.8.
- [Commits](liran-funaro/sphinx-markdown-builder@0.6.7...0.6.8)

---
updated-dependencies:
- dependency-name: sphinx-markdown-builder
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump pytest-asyncio from 0.20.3 to 0.24.0
349aa78 
Bumps [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) from 0.20.3 to 0.24.0.
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v0.20.3...v0.24.0)

---
updated-dependencies:
- dependency-name: pytest-asyncio
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump notifications-python-client from 9.1.0 to 10.0.1
a2e28d5 
Bumps [notifications-python-client](https://github.com/alphagov/notifications-python-client) from 9.1.0 to 10.0.1.
- [Changelog](https://github.com/alphagov/notifications-python-client/blob/main/CHANGELOG.md)
- [Commits](alphagov/notifications-python-client@9.1.0...10.0.1)

---
updated-dependencies:
- dependency-name: notifications-python-client
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump semver from 3.0.2 to 3.0.4
5a8be76 
Bumps [semver](https://github.com/python-semver/python-semver) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/python-semver/python-semver/releases)
- [Changelog](https://github.com/python-semver/python-semver/blob/master/CHANGELOG.rst)
- [Commits](python-semver/python-semver@3.0.2...3.0.4)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump pytest from 8.3.4 to 8.3.5
e6976ac 
Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.3.4 to 8.3.5.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@8.3.4...8.3.5)

---
updated-dependencies:
- dependency-name: pytest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump the npm_and_yarn group with 4 updates
f799136 
Bumps the npm_and_yarn group with 4 updates: [form-data](https://github.com/form-data/form-data), [@redocly/cli](https://github.com/Redocly/redocly-cli), [jose](https://github.com/panva/jose) and [newman](https://github.com/postmanlabs/newman).


Updates `form-data` from 4.0.0 to 4.0.4
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.0...v4.0.4)

Updates `@redocly/cli` from 1.34.4 to 1.34.5
- [Release notes](https://github.com/Redocly/redocly-cli/releases)
- [Changelog](https://github.com/Redocly/redocly-cli/blob/@redocly/cli@1.34.5/docs/changelog.md)
- [Commits](https://github.com/Redocly/redocly-cli/compare/@redocly/cli@1.34.4...@redocly/cli@1.34.5)

Updates `jose` from 4.14.4 to 5.6.3
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md)
- [Commits](panva/jose@v4.14.4...v5.6.3)

Updates `newman` from 6.1.3 to 6.2.0
- [Changelog](https://github.com/postmanlabs/newman/blob/develop/CHANGELOG.yaml)
- [Commits](postmanlabs/newman@v6.1.3...v6.2.0)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@redocly/cli"
  dependency-version: 1.34.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: jose
  dependency-version: 5.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: newman
  dependency-version: 6.2.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump nodemon from 3.1.9 to 3.1.10 in /sandbox
f24e237 
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.9 to 3.1.10.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](remy/nodemon@v3.1.9...v3.1.10)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump express from 5.0.1 to 5.1.0 in /sandbox
c6a6c43 
Bumps [express](https://github.com/expressjs/express) from 5.0.1 to 5.1.0.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v5.0.1...v5.1.0)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump eslint-plugin-unicorn from 45.0.2 to 56.0.1
cd11f5d 
Bumps [eslint-plugin-unicorn](https://github.com/sindresorhus/eslint-plugin-unicorn) from 45.0.2 to 56.0.1.
- [Release notes](https://github.com/sindresorhus/eslint-plugin-unicorn/releases)
- [Commits](sindresorhus/eslint-plugin-unicorn@v45.0.2...v56.0.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-unicorn
  dependency-version: 56.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump eslint-plugin-workspaces from 0.7.0 to 0.11.0
b42ba26 
Bumps [eslint-plugin-workspaces](https://github.com/joshuajaco/eslint-plugin-workspaces) from 0.7.0 to 0.11.0.
- [Release notes](https://github.com/joshuajaco/eslint-plugin-workspaces/releases)
- [Changelog](https://github.com/joshuajaco/eslint-plugin-workspaces/blob/main/CHANGELOG.md)
- [Commits](joshuajaco/eslint-plugin-workspaces@v0.7.0...v0.11.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-workspaces
  dependency-version: 0.11.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump mocha from 10.7.3 to 11.7.2 in /sandbox
6bdbdcb 
Bumps [mocha](https://github.com/mochajs/mocha) from 10.7.3 to 11.7.2.
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/main/CHANGELOG.md)
- [Commits](mochajs/mocha@v10.7.3...v11.7.2)

---
updated-dependencies:
- dependency-name: mocha
  dependency-version: 11.7.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump eslint-plugin-sonarjs from 0.16.0 to 3.0.5
e34ac96 
Bumps [eslint-plugin-sonarjs](https://github.com/SonarSource/SonarJS) from 0.16.0 to 3.0.5.
- [Release notes](https://github.com/SonarSource/SonarJS/releases)
- [Commits](https://github.com/SonarSource/SonarJS/commits)

---
updated-dependencies:
- dependency-name: eslint-plugin-sonarjs
  dependency-version: 3.0.5
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@ScottFullerton-NHSE
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/npm_and_…
e1b523a 
…yarn-7e13879316' into feature/CCM-11961-dependabot-upgrades
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@ScottFullerton-NHSE ScottFullerton-NHSE added the dependencies Pull requests that update a dependency file label Sep 16, 2025
@ScottFullerton-NHSE
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/sandbox/…
63716f3 
…nodemon-3.1.10' into feature/CCM-11961-dependabot-upgrades
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@ScottFullerton-NHSE
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/eslint-p…
f1161e2 
…lugin-sonarjs-3.0.5' into feature/CCM-11961-dependabot-upgrades
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@ScottFullerton-NHSE
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/sandbox/…
483e7ca 
…mocha-11.7.2' into feature/CCM-11961-dependabot-upgrades
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 16, 2025

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

CCM-11961

@ScottFullerton-NHSE ScottFullerton-NHSE changed the title Draft: CCM-11961: Dependabot Upgrades CCM-11961: Dependabot Upgrades Sep 17, 2025
gareth-allan
gareth-allan approved these changes Sep 17, 2025
View reviewed changes
Comment thread package-lock.json
Copy link
Copy Markdown
Contributor

@gareth-allan gareth-allan Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we have a package-lock.json and a pnpm-lock.yaml in this repo? I thought if we were using PNPM we'd get the PNPM lock file instead of package-lock.json?

Obviously you've not changed this, so it's not something that needs to block this PR, but it seems odd.

@ScottFullerton-NHSE ScottFullerton-NHSE merged commit 9acacbe into release Sep 22, 2025
6 checks passed
@ScottFullerton-NHSE ScottFullerton-NHSE deleted the feature/CCM-11961-dependabot-upgrades branch September 22, 2025 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonlabarere simonlabarere simonlabarere approved these changes

@gareth-allan gareth-allan gareth-allan approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ScottFullerton-NHSE @simonlabarere @gareth-allan