Skip to content

chore(deps): update all non-major dependencies (patch)#2000

Open
shunkakinoki wants to merge 1 commit into
mainfrom
renovate/patch-all-minor-patch
Open

chore(deps): update all non-major dependencies (patch)#2000
shunkakinoki wants to merge 1 commit into
mainfrom
renovate/patch-all-minor-patch

Conversation

@shunkakinoki

@shunkakinoki shunkakinoki commented Jul 6, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@openai/codex-darwin-arm64 (source) 0.142.5-darwin-arm640.142.5 age confidence optionalDependencies patch
@openai/codex-darwin-x64 (source) 0.142.5-darwin-x640.142.5 age confidence optionalDependencies patch
@openai/codex-linux-arm64 (source) 0.142.5-linux-arm640.142.5 age confidence optionalDependencies patch
@openai/codex-linux-x64 (source) 0.142.5-linux-x640.142.5 age confidence optionalDependencies patch
@openai/codex-win32-arm64 (source) 0.142.5-win32-arm640.142.5 age confidence optionalDependencies patch
@openai/codex-win32-x64 (source) 0.142.5-win32-x640.142.5 age confidence optionalDependencies patch
fastapi (changelog) >=0.138.0>=0.138.2 age confidence dependency-groups patch
mistral-vibe >=2.18.0>=2.18.3 age confidence dependency-groups patch 2.18.4
renovatebot/github-action v46.1.16v46.1.17 age confidence action patch v46.1.18
ruff (source, changelog) >=0.15.18>=0.15.20 age confidence dependency-groups patch

Release Notes

fastapi/fastapi (fastapi)

v0.138.2

Compare Source

Refactors
  • ♻️ Make app.frontend() return 404 for methods other than GET or HEAD with no static file matches. PR #​15863 by @​tiangolo.
Internal

v0.138.1

Compare Source

Refactors
Internal
mistralai/mistral-vibe (mistral-vibe)

v2.18.3

Compare Source

Added
  • j/k navigation in selectable lists across the TUI (questions, theme picker, rewind, voice, MCP panels)
  • ask_confirmation_on_exit config option to prompt before quitting
  • Project-level .vibe/config.toml now persists config option changes
Changed
  • Consistent styling and casing for keyboard shortcut hints across the TUI
  • ask_user_question now supports more than 4 options and questions
Fixed
  • No longer prompts to log in for disabled MCP servers
  • Teleport diff no longer mutates the real git index

v2.18.1

Compare Source

Added
  • /mcp add slash command for adding OAuth MCP servers
  • Petit chat animation idle pauses
Changed
  • Bare exit synonyms (exit, quit, :q, :quit) now treated as slash commands instead of prompts
Fixed
  • MCP OAuth login crash when keyring backend is un-loadable
renovatebot/github-action (renovatebot/github-action)

v46.1.17

Compare Source

Documentation
  • update references to renovatebot/github-action to v46.1.16 (fe5fe9b)
Miscellaneous Chores
  • deps: update actions/cache action to v5.1.0 (68d0678)
  • deps: update dependency lint-staged to v17.0.8 (3596cfc)
  • deps: update linters (db46956)
  • deps: update node.js to v24.18.0 (8e54d20)
  • deps: update pnpm to v10.34.4 (d1252f8)
Build System
  • deps: lock file maintenance (732b1ba)
Continuous Integration
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.234.1 (9eec991)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.0 (25a2109)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.1 (0b81c4e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.2 (b9dd808)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.236.0 (a637622)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.237.0 (27d53a3)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.237.1 (a51e52e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.239.0 (d472559)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.240.0 (2738a4c)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.241.1 (61f9c07)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.241.5 (fc1a7e3)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.0 (279d0b5)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.1 (aca194e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.2 (747d234)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.0 (cd474ba)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.1 (90faa1a)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.2 (16cb7c4)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.1 (6edf840)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.3 (f463e40)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.4 (759a191)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.245.0 (7625a0a)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.246.0 (0400fab)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.246.1 (1837166)
astral-sh/ruff (ruff)

v0.15.20

Compare Source

Released on 2026-06-25.

Preview features
  • Allow human-readable names in rule selectors (#​25887)
  • Emit a warning instead of an error for unknown rule selectors (#​26113)
  • Match noqa shebang handling in ruff:ignore comments (#​26286)
  • [ruff] Remove pytest-fixture-autouse (RUF076) (#​26240, #​26371)
Documentation
  • Add versioning sections to custom crate READMEs (#​26317)
  • Update ruff_python_parser README for crates.io (#​26315)
  • [perflint] Clarify that PERF402 applies to any iterable (#​26242)
Contributors

v0.15.19

Compare Source

Released on 2026-06-23.

Preview features
  • Support human-readable names when hovering suppression comments and in code actions (#​26114)
Bug fixes
  • Fall back to default settings when editor-only settings are invalid (#​26244)
  • Fix panic when inserting text at a notebook cell boundary (#​26111)
Rule changes
  • [pylint] Update fix suggestions for __floor__, __trunc__, __length_hint__, and __matmul__ variants (PLC2801) (#​26239)
Performance
  • Avoid allocating when parsing single string literals (#​26200)
  • Avoid reallocating singleton call arguments (#​26223)
  • Lazily create source files for lint diagnostics (#​26226)
  • Optimize formatter text width and indentation (#​26236)
  • Reserve capacity for builtin bindings (#​26229)
  • Skip repeated-key checks for singleton dictionaries (#​26228)
  • Use ArrayVec for qualified name segments (#​26224)
Documentation
  • [flake8-pyi] Note that PYI051 is an opinionated stylistic rule (#​26179)
  • [pyupgrade] Clarify UP029 as a Python 2 compatibility rule (#​26243)
Other changes
  • Publish Ruff crates to crates.io (#​26271)
Contributors

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@shunkakinoki shunkakinoki enabled auto-merge (squash) July 6, 2026 04:27
@indent-zero

indent-zero Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
PR Summary

Renovate PR rebased onto the newer main. Effective diff against the current base is 4 files. Alongside the benign renovate.yml action pin and pyproject.toml floor bumps, this force-push introduces a regression in the @openai/codex-<platform> optional-dep aliases: they were rewritten from real per-platform native tarballs to the platform-agnostic JS meta package, which is redundant with the top-level @openai/codex dep and blew up bun.lock with a 36-entry cross-product of nested overrides. Installs still work on every platform (the real tarballs are still pulled in transitively), but the aliases no longer serve their platform-selection purpose.

  • Bump pinned renovatebot/github-action v46.1.16 \u2192 v46.1.17 in .github/workflows/renovate.yml.
  • Bump pyproject.toml tool floors: mistral-vibe >=2.18.0 \u2192 >=2.18.3 (further than the previous push), ruff >=0.15.18 \u2192 >=0.15.20, fastapi[standard] >=0.138.0 \u2192 >=0.138.2.
  • Rewrite six @openai/codex-<platform> optionalDependencies aliases from npm:@openai/codex@0.142.5-<platform> (real per-platform tarball) to npm:@openai/codex@0.142.5 (JS meta package) in package.json, and regenerate bun.lock accordingly (adds 36 redundant nested-override entries \u2014 see issue).

Issues

1 potential issue found:

  • @openai/codex-<platform> optional-dep aliases were rewritten from npm:@openai/codex@0.142.5-<platform> (the real per-platform native tarballs, gated by os/cpu) to npm:@openai/codex@0.142.5 (the platform-agnostic JS meta package that is already the top-level @openai/codex: ^0.142.5 dep). All six aliases now resolve to the same meta package, defeating their platform-selection purpose and adding a 36-entry @openai/codex-<parent>/@openai/codex-<platform> cross-product to bun.lock (~120 extra lines). Installs still succeed (the real tarballs are pulled in transitively via the meta package's own optionalDependencies), but the six aliases now provide no value beyond the top-level dep. Renovate has known trouble with npm:@pkg@<semver>-<suffix> alias specifiers — either revert the six aliases and add a Renovate packageRules entry that pins them, or drop the six @openai/codex-<platform> entries entirely since the top-level @openai/codex dep already declares all six as its own optionalDependencies. → Autofix
1 issue already resolved
  • @openai/codex runtime/platform-package version drift: package.json bumps "@openai/codex" to ^0.142.3 (Bun resolves it to 0.142.5 in bun.lock), but the platform-specific optional deps are still pinned via npm: aliases to @openai/codex@0.142.5-<platform>. This works today only because the caret happens to resolve to 0.142.5; when Renovate next bumps the top-level above 0.142.5 without also bumping the aliased optional deps, users will get a top-level CLI that doesn't match its native binary. Consider aligning the top-level range and the npm: aliases in the same commit (or letting Renovate group them) so the drift cannot silently widen. (fixed by commit d4824e6)

CI Checks

Two independent infrastructure/network failures, neither of which is caused by this PR (which only touches the pinned renovatebot/github-action tag and three pyproject.toml Python-tool floors):\n\n1. nix-nixos failed while Nix built terraform-1.15.7-go-modules: go: downloading github.com/gogo/protobuf@v1.3.2 returned an HTTP/2 stream error ... INTERNAL_ERROR from proxy.golang.org. That is a transient module-proxy network flake; every downstream home-manager-* / nixos-system-* derivation then cascade-failed. nix-check is only red because nix-nixos is red.\n2. e2e-run (macOS, macos-latest) failed at the same spot as the previous run: nix-build compiling the Rust vector-0.56.0 binary (rustc ... (exit status: 101)), cascading through home-manager-* and darwin-system-*. Same upstream nixpkgs/vector macOS issue as before. e2e-check is only red because e2e-run is.\n\nThe Mesa Description status is neutral, not a hard failure. Retrying the two runs (or waiting for the upstream fixes) is the recommended path; no code change is needed in this PR.

Failing nix-check / nix-nixos
  • nix build of terraform-1.15.7-go-modules.drv failed with a transient Go module-proxy error: go: downloading github.com/gogo/protobuf@v1.3.2 ... stream error; stream ID 679; INTERNAL_ERROR; received from peer (HTTP/2 abort from proxy.golang.org). That knocks over every downstream home-manager-* / nixos-system-* derivation. Nothing in this PR touches Nix, Go, or Terraform — network/proxy flake. Re-run should clear it.
Failing nix-check (aggregator)
  • Only failing because its required child nix-nixos failed on a transient Go module-proxy network error (see above). All other children (nix-darwin, nix-flake, nix-format, nix-lint, nix-linux, nix-test) passed. Will pass once nix-nixos is retried successfully.
Failing e2e-check / e2e-run (macOS, macos-latest)
  • Same upstream nixpkgs macOS build issue as the previous CI cycle: nix-build failed compiling the Rust binary vector (crate vector-0.56.0, bin "vector"), rustc exit status 101, cascading through home-manager-* / darwin-system-* derivations. This PR only touches renovate.yml and pyproject.toml, so it cannot be the cause. Retry or wait for the upstream fix.
Failing e2e-check (aggregator)
  • Only failing because its required child e2e-run (macOS, macos-latest) failed on the upstream vector Rust build issue (see above). Will pass once the child does.
Failing Mesa Description (mesa-dot-dev)
  • Neutral status, not a hard failure. Not caused by this PR.

⚡ Autofix All Issues

@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@shunkakinoki, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 58 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef8e1ff4-5767-42c9-962a-0c58e6b8c780

📥 Commits

Reviewing files that changed from the base of the PR and between 213475a and 525a05d.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • .github/workflows/renovate.yml
  • package.json
  • pyproject.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/patch-all-minor-patch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates various package dependencies across package.json, bun.lock, and pyproject.toml. Notable updates include bumps for @anthropic-ai/claude-code, @github/copilot, @openai/codex, ruff, and fastapi. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread package.json Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Re-trigger cubic

@shunkakinoki shunkakinoki force-pushed the renovate/patch-all-minor-patch branch from 81017b9 to d4824e6 Compare July 7, 2026 04:20
@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@shunkakinoki shunkakinoki changed the title fix(deps): update all non-major dependencies (patch) chore(deps): update all non-major dependencies (patch) Jul 7, 2026
@shunkakinoki shunkakinoki force-pushed the renovate/patch-all-minor-patch branch from d4824e6 to 525a05d Compare July 8, 2026 04:03
@cursor

cursor Bot commented Jul 8, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@mesa-dot-dev

mesa-dot-dev Bot commented Jul 8, 2026

Copy link
Copy Markdown

Mesa Description

TL;DR

Updated non-major dependencies (fastapi, mistral-vibe, ruff, and renovatebot/github-action) to their latest patch versions.

What changed?

  • .github/workflows/renovate.yml: Bumped renovatebot/github-action workflow version from v46.1.16 to v46.1.17
  • pyproject.toml:
    • Bumped fastapi[standard] requirement from >=0.138.0 to >=0.138.2
    • Bumped mistral-vibe requirement from >=2.18.0 to >=2.18.1
    • Bumped ruff requirement from >=0.15.18 to >=0.15.20

Description generated by Mesa. Update settings

Comment thread package.json
"@openai/codex-linux-x64": "npm:@openai/codex@0.142.5-linux-x64",
"@openai/codex-win32-arm64": "npm:@openai/codex@0.142.5-win32-arm64",
"@openai/codex-win32-x64": "npm:@openai/codex@0.142.5-win32-x64"
"@openai/codex-darwin-arm64": "npm:@openai/codex@0.142.5",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functional: platform aliases no longer select per-platform tarballs

On main these six entries alias to the real per-platform tarballs:

"@openai/codex-darwin-arm64": "npm:@openai/codex@0.142.5-darwin-arm64",
"@openai/codex-darwin-x64":   "npm:@openai/codex@0.142.5-darwin-x64",
... (etc. per platform)

Those registry entries carry "os"/"cpu" gates, so bun installs only the one matching the host and skips the other five. After this force-push all six aliases point at the same platform-agnostic JS meta package @openai/codex@0.142.5, which is already the top-level @openai/codex: ^0.142.5 dep at line 31 of this file.

Consequences:

  1. The six aliases are redundant with the top-level dep — they no longer eagerly hoist a per-platform native tarball, they just install the same meta wrapper six extra times.
  2. bun.lock picked up a 36-entry cross-product (@openai/codex-<parent>/@openai/codex-<platform> at lines 3827–3885), because each of the six "alias" package entries recursively resolves the same six real platform tarballs as nested overrides.
  3. Installs still succeed on every platform (the real tarballs are pulled in transitively via the meta package's own optionalDependencies), so this is not a broken-install issue, but it wastes install work and lockfile space with no benefit.

Renovate has a known rough edge normalizing npm:@pkg@<semver>-<suffix> alias specifiers — it likely stripped the -<platform> suffix during its version-normalization pass. Two clean fixes:

Option A (keep the aliases, keep them working):

"@openai/codex-darwin-arm64": "npm:@openai/codex@0.142.5-darwin-arm64",
... etc.

And in renovate.json, add a packageRules entry that either pins the six @openai/codex-* packages or disables Renovate for them so it can't rewrite the aliases again.

Option B (drop them entirely):
Just remove all six @openai/codex-<platform> entries. The top-level @openai/codex: ^0.142.5 dep already declares all six as its own optionalDependencies (see bun.lock line 925), so the resulting install shape is identical to Option A with far less lockfile churn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants