github actions (deps): bump the github-dependencies group across 1 directory with 2 updates#345
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
…rectory with 2 updates Bumps the github-dependencies group with 2 updates in the / directory: [actions/dependency-review-action](https://github.com/actions/dependency-review-action) and [dorny/paths-filter](https://github.com/dorny/paths-filter). Updates `actions/dependency-review-action` from 4 to 5 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@v4...v5) Updates `dorny/paths-filter` from 3 to 4 - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@v3...v4) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-dependencies - dependency-name: dorny/paths-filter dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
ellie-bound1-NHSD
pushed a commit
that referenced
this pull request
May 18, 2026
…e-api repo (#349) # Pull Request ## 🧾 Ticket Link https://nhsd-jira.digital.nhs.uk/browse/NPA-6978 --- ## 📄 Description/Summary of Changes There are 14 Dependabot branches/PRs up to 14/05/2026. Most of these are small package updates. Analysis: -----8<-----8<-----8<-----8<-----8<----- The 14 Dependabot branches break down into three categories: pyproject.toml + lock file (direct dep bumps, 3 PRs): - #320 — black 26.3.1 in pyproject.toml - #321 — black 26.3.1 in pyproject.toml - #332 — pytest 9.0.3 in pyproject.toml Lock file only (transitive dep bumps, 10 PRs): - poetry.lock: requests, cryptography, python-dotenv, lxml, urllib3, authlib - poetry.lock: requests - poetry.lock: (implied by sandbox pytest) - package-lock.json: follow-redirects, basic-ftp, fast-uri GitHub Actions YAML only (1 PR): - #345 — workflows changes, no lock files So the practical plan is: apply the 3 pyproject.toml edits, regenerate all lock files fresh (which picks up all transitive updates in one shot), cherry-pick #345, then commit and push. -----8<-----8<-----8<-----8<-----8<----- Steps: 1. Made the required bumps to `pyproject.toml` and `sandbox/pyproject.toml` 2. Updated lock files: -- poetry lock -- cd sandbox && poetry lock && cd .. -- cd scripts && poetry lock && cd .. -- npm update follow-redirects basic-ftp fast-uri 3. cherry-pick #345 -- git cherry-pick origin/dependabot/github_actions/github-dependencies-0645f932cc 4. Noted vulnerability in `pytest-nhsd-apim`: upgraded from `^5.0.0` to `^6.0.0` Outcome is 'better than Dependabot': Package | Dependabot suggested | Now in lock black (root + sandbox) | 26.3.1 | 26.3.1 ✅ pytest (sandbox) | 9.0.3 | 9.0.3 ✅ python-dotenv | 1.2.2 | 1.2.2 ✅ lxml | 6.1.0 | 6.1.0 ✅ urllib3 | 2.7.0 | 2.7.0 ✅ requests | 2.33.0 | 2.34.2 ⬆️ newer authlib | 1.6.12 | 1.7.2 ⬆️ newer cryptography | 46.0.7 | 48.0.0 ⬆️ newer follow-redirects | 1.16.0 | 1.16.0 ✅ basic-ftp | 5.3.1 | 5.3.1 ✅ fast-uri | 3.1.2 | 3.1.2 ✅ --- ## 🧪 Developer Testing Carried Out <!-- Describe what tests (automated/unit/manual etc.) have been done for the ticket. Include: --> <!-- - Any tests added/updated --> <!-- - Evidence that each acceptance criterion from the Jira ticket is met --> <!-- - Evidence of tests running eg. link to github workflow with tests passing or screenshot of tests running locally --> - `make schema-all`: All tests pass ✅ - `make generate-postman-collection` regenerates `postman/validated_relationship_service.sandbox.postman_collection.json` with only the UUIDs changed. ✅ - `make test-postman-collection SANDBOX_BASE_URL=https://sandbox.api.service.nhs.uk/validated-relationships/FHIR/R4`: All tests pass ✅ --- ## 📋 PR Principles <!-- Principles we as a team follow when conducting a PR --> - Keep PRs Small and Focused: Ensure the PR addresses a single task or feature to make it easier to review. - Multiple PRs for one Ticket: When splitting work into multiple PRs, clearly describe what this PR addresses and outline the remaining work to complete the ticket. - Ensure Tests Are Included: Add or update unit, integration, or end-to-end tests to cover the changes made. - Follow Coding Standards: Ensure the code adheres to the team's coding guidelines and best practices. - Resolve Comments Promptly: If you raise a comment, ensure you follow up and resolve it before approving the PR to maintain clarity and ensure comments are addressed. - Foster Learning: PR reviews are an opportunity to share knowledge, provide constructive feedback, and encourage a collaborative environment. ## 🏷️ Naming Conventions Reminder Please ensure the following naming conventions are followed: - PR title follows the format: `NPA-XXXX: <short-description>` - Branch name follows the convention: `<type>/NPA-XXXX/<short-description>` - Commit messages follow the template: `NPA-XXXX: <short-description>` --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Contributor
Author
|
Looks like these dependencies are no longer updatable, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/github_actions/github-dependencies-0645f932cc
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-dependencies group with 2 updates in the / directory: actions/dependency-review-action and dorny/paths-filter.
Updates
actions/dependency-review-actionfrom 4 to 5Release notes
Sourced from actions/dependency-review-action's releases.
... (truncated)
Commits
a1d282bMerge pull request #1098 from actions/ahpook/v5-releaseeb6c199update examples to show@v53943c2cv5.0.0 release branch454943cMerge pull request #1094 from actions/ashelytc/security-findings6d92a12revert@typescript-eslint/parserupdatea8e5a7eMerge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...b6b7079update@typescript-eslint/parserto 8.40.0821a21dupdate more dependencies05aaaaerun npm audit fix55d3e75Merge pull request #1077 from Marukome0743/docs/checkoutUpdates
dorny/paths-filterfrom 3 to 4Release notes
Sourced from dorny/paths-filter's releases.
Changelog
Sourced from dorny/paths-filter's changelog.
... (truncated)
Commits
fbd0ab8feat: add merge_group event supportefb1da7feat: add dist/ freshness check to PR workflowd8f7b06Merge pull request #302 from dorny/issue-299addbc14Update README for v49d7afb8Update CHANGELOG for v4.0.0782470cMerge branch 'releases/v3'ce10459Merge pull request #294 from saschabratton/master5f40380feat: update action runtime to node24Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions