Skip to content

chore: resolve dependabot alerts for storybook and lodash #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ignaciosantise merged 2 commits into from
Jan 22, 2026
Merged

chore: resolve dependabot alerts for storybook and lodash #525

ignaciosantise merged 2 commits into from
Jan 22, 2026

Conversation

@ignaciosantise
Copy link
Collaborator

@ignaciosantise ignaciosantise commented Jan 22, 2026
edited by cursor bot
Loading

Summary

  • Updated storybook to 8.6.15 and all related @storybook/* packages for consistency
  • Updated lodash to 4.17.23 via overrides in examples/expo-multichain
  • Added comprehensive Dependabot alert resolution guidance to AGENTS.md

Test Plan

  • Verify yarn install completes successfully
  • Verify npm install in examples/expo-multichain completes successfully
  • Check that lockfiles are properly updated with new dependency versions

🤖 Generated with Claude Code

Note

Dependency updates

  • Bumps Storybook in apps/gallery to ^8.6.15 and aligns all @storybook/* and storybook entries in yarn.lock
  • Adds [email protected] via overrides in examples/expo-multichain/package.json and updates package-lock.json

Documentation

  • Adds Dependabot resolution guidance to AGENTS.md (direct vs transitive updates, lockfile updates, related packages, no major bumps, formatting)

Written by Cursor Bugbot for commit 6b1867a. This will update automatically on new commits. Configure here.

@ignaciosantise @claude
chore: resolve dependabot alerts for storybook and lodash
d560fe5 
Update storybook to 8.6.15 in apps/gallery and all related @storybook/* packages to the same version for consistency. Update lodash to 4.17.23 in examples/expo-multichain via overrides. Add comprehensive Dependabot alert resolution guidance to AGENTS.md.

Co-Authored-By: Claude Haiku 4.5 <[email protected]>
Copilot AI review requested due to automatic review settings January 22, 2026 16:11
@changeset-bot
Copy link

changeset-bot bot commented Jan 22, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 6b1867a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@claude
Copy link

claude bot commented Jan 22, 2026
edited
Loading

Claude finished @ignaciosantise's task —— View job

Code Review Complete ✅

Summary

This PR properly resolves Dependabot alerts for Storybook and lodash dependencies. The changes are well-structured and follow the repository's dependency management patterns.

Issues Found

1. Missing Changeset for Gallery App Updates

Severity: Medium
Location: Root directory

The changeset-bot correctly identified that no changeset was added. While this is a chore: commit, the Storybook updates in apps/gallery/package.json constitute dependency changes that should be tracked for the gallery app.

Recommendation: Add a changeset for @apps/gallery with type patch:

yarn changeset add

Select @apps/gallery and choose patch, then describe: "chore: update storybook dependencies to 8.6.15"

2. Inconsistent Documentation Guidance

Severity: Low
Location: AGENTS.md:311-324

The new Dependabot guidance states:

"1. Direct dependencies - Update the version directly in the package's package.json where it's declared. This is cleaner than using resolutions..."

However, this contradicts the repository's existing pattern. The root package.json:83-107 already uses resolutions extensively for security updates (h3, tar, node-forge, qs, undici, preact, js-yaml, valibot).

Recommendation: Revise the guidance to clarify when each approach should be used:

  • Direct dependencies used by the package itself → update in package.json
  • Direct dependencies used by workspace package managers (like storybook in gallery) → update in package.json
  • Transitive security vulnerabilities → use resolutions/overrides (as already done for h3, tar, etc.)

The current implementation in this PR is actually correct (storybook updated in apps/gallery/package.json, lodash override added to expo-multichain/package.json), but the documentation could be clearer about the distinction.

3. Potential Version Inconsistency Risk

Severity: Low
Location: apps/gallery/package.json:11

The @chromatic-com/storybook package uses ^1 while all other @storybook/* packages now use ^8.6.15. While Chromatic's package follows its own versioning, it's worth noting for future compatibility checks.

Recommendation: Monitor for any compatibility warnings when running the gallery app. This is likely fine, but document if any issues arise.

What Was Done Well

Comprehensive storybook update - All @storybook/* packages updated consistently to 8.6.15 (this fixes incomplete Dependabot PR #163700bb which only updated the main storybook package)

Correct lodash implementation - Using overrides in expo-multichain/package.json is the right approach since lodash is a transitive dependency there

Lockfile updates - Both yarn.lock and package-lock.json properly updated

Documentation addition - AGENTS.md now includes helpful Dependabot resolution guidance

No breaking changes - Updates are minor/patch versions only (8.3.0 → 8.6.15, 4.17.21 → 4.17.23)

Follows commit convention - Uses chore: prefix appropriately

Test Plan Verification

The stated test plan is appropriate:

  • ✅ Verify yarn install completes successfully
  • ✅ Verify npm install in examples/expo-multichain completes successfully
  • ✅ Check that lockfiles are properly updated

Additional recommendations:

  • Run yarn gallery to verify Storybook launches without errors
  • Check for any new console warnings related to version mismatches

Final Recommendation

Approve with minor changes: Add a changeset for the gallery app updates, then merge.

The core dependency updates are solid and address the security alerts properly. The documentation could be refined but doesn't block merging.

Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to resolve Dependabot security alerts by updating storybook to version 8.6.15 and lodash to version 4.17.23. It also adds comprehensive documentation about handling Dependabot alerts to the AGENTS.md file.

Changes:

  • Updated all storybook packages from ^8.3.0 to ^8.6.15 in apps/gallery
  • Updated lodash to 4.17.23 via overrides in examples/expo-multichain
  • Added Dependabot alert resolution guidance to AGENTS.md

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
apps/gallery/package.json Updated all @storybook/* packages and storybook to ^8.6.15 for consistency
yarn.lock Reflects updated storybook package versions and checksums for 8.6.15
examples/expo-multichain/package.json Added lodash 4.17.23 to overrides field (invalid version)
examples/expo-multichain/package-lock.json Updated lodash entry to version 4.17.23 (invalid version)
AGENTS.md Added comprehensive guidance on resolving Dependabot alerts and dependency updates
Files not reviewed (1)
  • examples/expo-multichain/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cursor[bot]
cursor bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ignaciosantise ignaciosantise merged commit f69b234 into develop Jan 22, 2026
10 of 11 checks passed
@ignaciosantise ignaciosantise deleted the fix-alerts branch January 22, 2026 17:01
@github-actions github-actions bot locked and limited conversation to collaborators Jan 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ignaciosantise