Skip to content

chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2194

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 4, 2025

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates glob from 11.0.2 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

  • Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add th...

    Description has been truncated

@dependabot
chore(deps): bump the npm_and_yarn group across 3 directories with 4 …
a625805 
…updates

Bumps the npm_and_yarn group with 3 updates in the / directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 1 update in the /scripts directory: [glob](https://github.com/isaacs/node-glob).


Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0)

Updates `better-auth` from 1.3.12 to 1.4.2
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `better-auth` from 1.3.12 to 1.4.2
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `better-auth` from 1.3.12 to 1.4.2
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `better-auth` from 1.3.12 to 1.4.2
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `glob` from 11.0.2 to 11.1.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v11.0.2...v11.1.0)

---
updated-dependencies:
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 11.1.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 4, 2025
@vercel
Copy link

vercel bot commented Dec 4, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
docs Error Error Dec 4, 2025 9:31pm

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 4, 2025

Greptile Overview

Greptile Summary

Dependabot updated 4 packages across the monorepo, but there's a critical version conflict that will prevent the intended upgrades from taking effect.

Key Changes:

  • @modelcontextprotocol/sdk: 1.20.2 → 1.24.0 (MCP spec 2025-11-25, Tasks support)
  • better-auth: 1.3.12 → 1.4.2 (PKCE for GitHub, JWKS customization, bug fixes)
  • js-yaml: 4.1.0 → 4.1.1 (security fix for prototype pollution CVE)
  • next: 15.4.8 → 16.0.7 (attempted upgrade)
  • glob: 11.0.2 → 11.1.0 (minor bump)

Critical Issue:
The root package.json and apps/sim/package.json both have overrides sections that pin Next.js to 15.4.8, but Dependabot updated the dependency declarations to 16.0.7. Package manager overrides take precedence, so the application will actually run Next.js 15.4.8 despite the dependency declarations indicating 16.0.7. This creates confusion and prevents the Next.js upgrade from taking effect.

Security Note:
The js-yaml update fixes a prototype pollution vulnerability and should be merged promptly after resolving the Next.js version conflict.

Confidence Score: 0/5

  • This PR has critical version conflicts that will prevent intended upgrades from working correctly and should not be merged as-is.
  • Score of 0 (critical issues) because package.json overrides pin Next.js to 15.4.8 while dependencies declare 16.0.7, creating a fundamental version mismatch. The override will silently force 15.4.8 despite PR claiming to update to 16.0.7. This makes the PR misleading and potentially breaks expectations. While js-yaml security fix is important, the Next.js conflict must be resolved first by either updating overrides to 16.0.7 or reverting Next.js dependency changes.
  • Critical attention needed on package.json and apps/sim/package.json - both have override sections that conflict with the dependency updates

Important Files Changed

File Analysis

Filename Score Overview
package.json 1/5 Critical issue - overrides pin Next.js to 15.4.8 but dependencies updated to 16.0.7, creating version conflict. Also updates @modelcontextprotocol/sdk to 1.24.0.
apps/sim/package.json 1/5 Same critical Next.js override conflict (15.4.8 vs 16.0.7). Updates better-auth to 1.4.2 and js-yaml to 4.1.1 (security fix for prototype pollution).
apps/docs/package.json 3/5 Updates Next.js to 16.0.7 - no override conflicts at this level, should work correctly.

Sequence Diagram

sequenceDiagram
    participant Dependabot
    participant RootPackage as package.json
    participant SimApp as apps/sim/package.json
    participant DocsApp as apps/docs/package.json
    participant Scripts as scripts/package.json
    
    Dependabot->>RootPackage: Update @modelcontextprotocol/sdk<br/>1.20.2 → 1.24.0
    Note over RootPackage: ⚠️ Override conflict:<br/>next: 15.4.8 (pinned)
    
    Dependabot->>SimApp: Update better-auth<br/>1.3.12 → 1.4.2
    Dependabot->>SimApp: Update js-yaml<br/>4.1.0 → 1.4.1 (security fix)
    Dependabot->>SimApp: Update next<br/>15.4.8 → 16.0.7
    Note over SimApp: ⚠️ Override conflict:<br/>next: 15.4.8 (pinned)
    
    Dependabot->>DocsApp: Update next<br/>15.4.8 → 16.0.7
    Note over DocsApp: ✓ No override conflicts
    
    Dependabot->>Scripts: Update glob<br/>11.0.2 → 11.1.0
    Note over Scripts: ✓ Minor version bump
    
    Note over RootPackage,SimApp: Critical Issue: Dependencies<br/>updated to Next 16.0.7 but<br/>overrides pin to 15.4.8
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Comments (2)

  1. package.json, line 31-32 (link)

    logic: Critical version mismatch - package.json overrides specify next: "15.4.8" but Dependabot updated dependencies to Next.js 16.0.7. This creates conflicts where override pins version to 15.4.8 while dependencies try to use 16.0.7.

  2. apps/sim/package.json, line 169-170 (link)

    logic: Same version mismatch at the app level - overrides pin Next.js to 15.4.8 but dependencies specify 16.0.7. This will force 15.4.8 despite the intended upgrade.

4 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant