Skip to content

Bump tmp and release-it #1030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump tmp and release-it #1030

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 27, 2025
edited
Loading

Removes tmp. It's no longer used after updating ancestor dependency release-it. These dependencies need to be updated together.

Removes tmp

Updates release-it from 17.6.0 to 19.0.4

Release notes

Sourced from release-it's releases.

Release 19.0.4

  • Replace lodash.get with custom get() function and add tests (#1231) (879a2ef69bb245d28cfe4abe4701ceefaadb6bee) - thanks @​AlejandroRM-DEV!
  • fix: set octokit log to {} instead of null (#1237) (6fc696f324897e133a9443064dfc6ef5dd827871) - thanks @​efstathiosntonas!
  • Update dependencies (2195b7935f7bece7e0f49bd13089fc0eb4f671aa)

Release 19.0.3

  • chore: use node's spawn instead of tinyexec dep (#1227) (fccdf6742ed4051fcd6ee11d890b84f7a34e81c4) - thanks @​efstathiosntonas!
  • Minor housekeeping/formatting (1604dc75ac2370a068c28a9119885d3035d372ac)
  • Add default timeout (mainly for tests) (96d8889251e670fc178e891b62a845bb8009f929)
  • docs(gitlab): update token scope requirements and default secure setting (#1229) (9c7d2b331d35ca6131d9e09e343cc8337d4cfc09) - thanks @​AlejandroRM-DEV!
  • Update dependencies (b792c458a146665c17ea7290cae435034b9f3e87)

Release 19.0.2

  • Bump engines.node from 20.9 → 20.12 (resolves #1219) (a012da6a2ac442a6000a2908d6418e25720525fc)
  • Update dependencies (ebfc5a2a5fc518480910bb628ad7f34f065842b4)

Release 19.0.1

  • Don't throw if no config file is found (2cb4a7e414b1ae593d6ea4cb24e508b4e2970826)

Release 19.0.0

  • Update dependencies (cbe2fa6a5be2d61533b309b0069a2589c34ca77e)
  • v18 → v19 (6f8150a740d5bb4e4d24b1c78f61f244da8afb0d)
  • Housekeeping (41dfaaeabc720bf683e4c8daf527db9786a6adfe)

Release 19.0.0-next.5

  • feat: use c12 to replace cosmiconfig (#1212) (23272f88f6fc81628f3649f42d96bb9148c65ef7) - thanks @​aa900031!
  • Fix lint issues (d585942666d543f956c3c78b88ac35e3374e017b)
  • Remove update-notifier (032c993bd288eb82c1fcdf2251820af06defc639)
  • globby → tinygobby (048b2f8664b136d49c6cf2a088fc5f241b694ed0)
  • execa → tinyexec (27fa5b0853a0cb6bd9b299edaee4f7871b1031a0)

Release 19.0.0-next.4

  • fix(json-schema): change addUntrackedFiles to boolean (#1214) (1c5af4012eecf4bcc8a5a6f1857ff02f03125a18) - thanks @​KyleRoss!
  • Add double dash to separate paths from git command (resolves #1210) (06bccd79bedc5959adb755b1e2c6db4b100888d5)
  • fix: parse boolean values from command line (#1215) (d87fd39a68ea8a789916ae1ba2fe3557c3dd658e) - thanks @​mdvorak!
  • Update dependencies (ea3a19356da20acb1e5fb5b181e22d5105018674)

Release 19.0.0-next.3

  • Minor refactors (c4ef03b71ad9ce35b6560ce3efc12a3579f331c9)
  • Update links in gitlab docs (0750f08b3108d4516841eb43476552168fd8f701)
  • Use request.formData (c774a007ea703bc45dbf0386253790651b56e6f4)
  • Add mockFetch for more concise mentoss API (ec1065f4294436befe8a63a3c232fc812cc50934)
  • Fix up GitLab urls (11dd73d59e9ee1171eabeda7de12ab0bc2c60330)
  • chalk → styleText (cab8f969c3598da7694513d4b04b8266cf51a469)
  • Single line in release notes (commit.message → commit.subject) (c709d5c6e3e8aec234e623aefa17553eeb066232)
  • Update dependencies (83a8d828fb3e2be6a832273d0fa9def623b19764)
  • Remove prettier from eslint config (473b2ee2b16b77ec7bae06133de4a7bb92bb3763)
  • Fix lint issue (f1865038ccb3f291a127ec33ea0d818802011f4d)

Release 19.0.0-next.2

... (truncated)

Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: https://github.com/release-it/release-it/releases

v19 (2025-04-18)

  • No breaking changes (dependency party)

v18 (2025-01-06)

  • Removed support for Node.js v18.

v17 (2023-11-11)

  • Removed support for Node.js v16.

v16 (2023-07-05)

  • Removed support for Node.js v14.

v15 (2022-04-30)

  • Removed support for Node.js v10 and v12.
  • Removed support for GitLab v12.4 and lower.
  • Removed anonymous metrics (and the option to disable it).
  • Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

  • Removed global property from plugins. Use this.config[key] instead.
  • Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

  • Dropped support for Node v8
  • Dropped support for GitLab v11.6 and lower.
  • Deprecated scripts are removed (in favor of hooks).
  • Removed deprecated --non-interactive (-n) argument. Use --ci instead.
  • Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

v12 (2019-05-03)

  • The --follow-tags argument for git push has been moved to the default configuration. This is only a breaking change if git.pushArgs was not empty (it was empty by default).

... (truncated)

Commits
  • 2c87983 Release 19.0.4
  • 2195b79 Update dependencies
  • 6fc696f fix: set octokit log to {} instead of null (#1237)
  • 879a2ef Replace lodash.get with custom get() function and add tests (#1231)
  • 183050c Release 19.0.3
  • b792c45 Update dependencies
  • 9c7d2b3 docs(gitlab): update token scope requirements and default secure setting (#1229)
  • 96d8889 Add default timeout (mainly for tests)
  • 1604dc7 Minor housekeeping/formatting
  • fccdf67 chore: use node's spawn instead of tinyexec dep (#1227)
  • Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 27, 2025
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 27, 2025
@mariacarmina
Copy link
Contributor

mariacarmina commented Sep 15, 2025

@dependabot rebase

@dependabot
Bump tmp and release-it
485eac6 
Removes [tmp](https://github.com/raszi/node-tmp). It's no longer used after updating ancestor dependency [release-it](https://github.com/release-it/release-it). These dependencies need to be updated together.


Removes `tmp`

Updates `release-it` from 17.6.0 to 19.0.4
- [Release notes](https://github.com/release-it/release-it/releases)
- [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md)
- [Commits](release-it/release-it@17.6.0...19.0.4)

---
updated-dependencies:
- dependency-name: tmp
  dependency-version: 
  dependency-type: indirect
- dependency-name: release-it
  dependency-version: 19.0.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-68952614b0 branch from e4d899e to 485eac6 Compare September 15, 2025 12:02
@alexcos20
Copy link
Member

alexcos20 commented Jan 6, 2026

@dependabot rebase

alexcos20
alexcos20 reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@alexcos20 alexcos20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI automated code review (Gemini 3).

Overall risk: low

Summary:
This pull request, created by Dependabot, updates the release-it development dependency from version 17.6.0 to 19.0.4. Additionally, the tmp indirect dependency has been removed, as it's no longer required by the updated release-it package. The changes are confined to package.json and package-lock.json.

Comments:
• [INFO][other] The release-it package has undergone a major version bump from 17 to 19. While this is a development dependency, it's essential to verify that any existing release automation scripts or CI/CD configurations that rely on release-it are still compatible with the new version. Please ensure the release workflow functions as expected after this update.
• [INFO][other] The tmp dependency has been removed. This is a positive change, as it reduces the dependency tree and potential attack surface. It's good practice to eliminate unused dependencies.
• [INFO][other] Given the significant changes in package-lock.json due to the major version bump of release-it and the removal of tmp, it would be beneficial to run all standard development checks (e.g., npm install, npm test, npm run lint) to ensure no unexpected regressions have been introduced into the development environment or build process.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 6, 2026

Looks like these dependencies are no longer a dependency, so this is no longer needed.

@dependabot dependabot bot closed this Jan 6, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/multi-68952614b0 branch January 6, 2026 07:59
alexcos20
alexcos20 reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@alexcos20 alexcos20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI automated code review (Gemini 3).

Overall risk: low

Summary:
This pull request, initiated by Dependabot, updates the release-it development dependency from version 17.6.0 to 19.0.4. As a result of this update, the tmp dependency is also removed, as it is no longer required by the updated release-it package. The changes are confined to package.json and package-lock.json.

Comments:
• [INFO][other] The release-it package has been updated across major versions (17.x to 19.x). While this is a development dependency, it's good practice to quickly review the changelogs between 17.6.0 and 19.0.4 to ensure no breaking changes in its API or configuration could unexpectedly affect our release process, even if our usage is basic. The Dependabot message mentions reviewing release notes and changelog, which is a good starting point.
• [INFO][other] The removal of the tmp dependency is a positive cleanup, indicating that release-it no longer relies on it. This helps reduce the overall dependency footprint. This change, alongside the release-it update, looks sound for a dependency bump.

alexcos20
alexcos20 reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@alexcos20 alexcos20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI automated code review (Gemini 3).

Overall risk: low

Summary:
This pull request, created by Dependabot, updates the release-it development dependency from version ^17.6.0 to ^19.0.4. It also removes the tmp dependency, which was an indirect dependency of release-it and is no longer needed after the update. The changes primarily affect package.json and package-lock.json.

Comments:
• [INFO][other] The release-it dependency is updated across major versions (17.x to 19.x). As this is a development dependency used for release automation, ensure that existing release scripts or CI/CD configurations are compatible with the changes introduced in release-it versions 18 and 19. It's recommended to review the official changelog for any breaking changes that might affect the release workflow.
• [INFO][other] The package-lock.json shows a substantial number of changes due to the release-it major version bump and the removal of the tmp dependency. This is expected behavior for such an update. Ensure that npm install (or equivalent) runs successfully after this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexcos20 alexcos20 alexcos20 left review comments

@bogdanfazakas bogdanfazakas Awaiting requested review from bogdanfazakas bogdanfazakas is a code owner

@mariacarmina mariacarmina Awaiting requested review from mariacarmina

@giurgiur99 giurgiur99 Awaiting requested review from giurgiur99 giurgiur99 is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mariacarmina @alexcos20