chore: Apply dependabot upgrades from dependabotchanges (ADO #41266)#218
Open
Shreyas-Microsoft wants to merge 13 commits into
Open
chore: Apply dependabot upgrades from dependabotchanges (ADO #41266)#218Shreyas-Microsoft wants to merge 13 commits into
Shreyas-Microsoft wants to merge 13 commits into
Conversation
Equivalent of #167. Applied as direct version bumps because the dependabot branch diverged heavily from main+dev. - actions/checkout v4 -> v6 - actions/setup-python v5 -> v6 - actions/upload-artifact v4 -> v7 - actions/stale v9 -> v10 - docker/setup-buildx-action v3 -> v4 - docker/build-push-action v6 -> v7 - codfish/semantic-release-action v3 -> v5 - amannn/action-semantic-pull-request v5 -> v6 - lycheeverse/lychee-action v2.4.1 -> v2.8.0 - tj-actions/changed-files v46 -> v47.0.5 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…for ADO #41266 Equivalent of #168. pyproject.toml versions bumped to dependabot recommendations and uv.lock regenerated via 'uv lock --upgrade'. - aiofiles 24.1.0 -> 25.1.0 - azure-ai-agents 1.2.0b3 -> 1.2.0b6 - azure-appconfiguration 1.7.1 -> 1.8.0 - azure-identity 1.25.0 -> 1.25.3 - azure-monitor-opentelemetry 1.7.0 -> 1.8.7 - azure-search-documents 11.6.0b12 -> 11.7.0b2 - azure-storage-blob 12.26.0 -> 12.28.0 - azure-storage-queue 12.13.0 -> 12.15.0 - fastapi[standard] 0.116.1 -> 0.135.3 - pydantic-settings 2.10.1 -> 2.13.1 - sas-cosmosdb 0.1.4 -> 0.1.5 - semantic-kernel[azure] 1.40.0 -> 1.41.1 - uvicorn 0.35.0 -> 0.42.0 Validation: all 13 upgraded modules import cleanly. Existing src/tests suite has pre-existing broken imports (libs/, routers/ missing in src/) on main and dev unrelated to this upgrade. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… for ADO #41266 Equivalent of #214. pyproject.toml versions bumped and uv.lock regenerated via 'uv lock --upgrade'. Applied: - aiohttp 3.13.3 -> 3.13.5 - azure-ai-projects 2.0.0b3 -> 2.1.0 - azure-appconfiguration 1.7.2 -> 1.8.0 - fastmcp 2.14.5 -> 3.2.4 (major bump, API-compatible) - mcp 1.25.0 -> 1.27.0 - openai 2.15.0 -> 2.33.0 - psutil 7.2.1 -> 7.2.2 - pytz 2025.2 -> 2026.1.post1 - sas-cosmosdb 0.1.4 -> 0.1.5 Skipped (with rationale): - azure-ai-agents 1.2.0b6: blocked by agent-framework==1.0.0b260107 which pins azure-ai-agents==1.2.0b5 (kept current pin). - azure-identity 1.25.3: current pin (1.26.0b1) is newer than dependabot target. - azure-storage-queue 12.15.0: already at target. - semantic-kernel 1.41.3: not present in processor (removed from main+dev, replaced by agent-framework). Validation: fastmcp v3 'from fastmcp import FastMCP' API still works, all 4 processor mcp_server modules import successfully under v3. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n src/frontend for ADO #41266 Equivalent of #169, partial. This commit covers ONLY the minor/patch bumps. Major version bumps (React 18->19, MSAL 4->5, vite 6->8, tailwindcss 3->4, eslint 9->10, uuid 11->13, etc.) are intentionally deferred for explicit per-package review per AC-4. Applied (minor/patch): - @fluentui/react ^8.122.9 -> ^8.125.5 - @fluentui/react-components ^9.56.7 -> ^9.73.7 - @fluentui/react-file-type-icons ^8.12.7 -> ^8.17.0 - @fluentui/react-icons ^2.0.270 -> ^2.0.323 - @reduxjs/toolkit ^2.2.7 -> ^2.11.2 - @tailwindcss/vite ^4.0.0 -> ^4.2.2 - autoprefixer ^10.4.20 -> ^10.4.27 - postcss ^8.5.0 -> ^8.5.8 - react-icons ^5.5.0 -> ^5.6.0 - react-router-dom ^7.13.1 -> ^7.13.2 - sql-formatter ^15.4.11 -> ^15.7.3 - rollup-plugin-dts ^6.1.1 -> ^6.4.1 - eslint-plugin-react ^7.37.2 -> ^7.37.5 - rollup ^4.59.0 -> ^4.60.1 Validation: 'npm install' clean, 'npm run build' clean (vite production build OK). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Applied 20 major version bumps from dependabot PR #169: - React 18 -> 19 (react, react-dom, @types/react, @types/react-dom) - @azure/msal-browser, @azure/msal-react 4 -> 5 - vite 6 -> 8 - tailwindcss 3 -> 4 (added @tailwindcss/postcss; updated postcss.config.js) - uuid 11 -> 13 - Plus other minor majors (recharts, react-router-dom, etc.) Skipped/reverted with rationale: - eslint kept at ^9.39.4 (eslint-plugin-react@7.37.5 and eslint-plugin-react-hooks@7.1.1 peer-cap at eslint ^9; no plugins compatible with eslint 10 yet) - @eslint/js kept at ^9 to match eslint - axios kept at 1.15.0 (newer than dependabot target 1.14.0) - js-yaml, lottie-react, react-markdown already at target versions Validation: npm install succeeded; npm run build succeeded (with expected fluentui peer-dep warnings around React 19; build output is clean). Refs ADO #41266 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
requested review from
Avijit-Microsoft,
Dongbumlee,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801,
nchandhi,
sethsteenken and
toherman-msft
as code owners
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Error
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Coverage Report •
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple Dependabot upgrades (GitHub Actions, Python/uv dependencies for backend-api and processor, and npm dependencies for frontend) into a single branch intended to be validated and merged.
Changes:
- Updates GitHub Actions used across CI/CD workflows (checkout/setup-python/upload-artifact/buildx/build-push/etc.).
- Refreshes Python dependency pins for
src/backend-apiandsrc/processor(includingfastmcpv2→v3 for processor) and updates thesrc/processor/uv.lock. - Updates the frontend toolchain and libraries (React 18→19, Vite 6→8, Tailwind 3→4, MSAL 4→5) and adjusts PostCSS config for Tailwind v4.
Reviewed changes
Copilot reviewed 20 out of 23 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/processor/uv.lock |
Updates the processor’s locked Python dependency graph (including fastmcp v3 and related transitive changes). |
src/processor/pyproject.toml |
Bumps pinned processor runtime dependencies to match refreshed lockfile. |
src/frontend/postcss.config.js |
Switches PostCSS Tailwind plugin to @tailwindcss/postcss for Tailwind v4. |
src/frontend/package.json |
Major/minor npm dependency upgrades across React/MSAL/Vite/Tailwind and related tooling. |
src/backend-api/pyproject.toml |
Bumps pinned backend-api Python dependencies (FastAPI, Azure SDKs, uvicorn, etc.). |
.github/workflows/validate-bicep-params.yml |
Updates GitHub Action versions used in bicep param validation. |
.github/workflows/test.yml |
Updates checkout action version. |
.github/workflows/stale-bot.yml |
Updates actions used by stale/branch cleanup automation. |
.github/workflows/pylint.yml |
Updates checkout/setup-python action versions. |
.github/workflows/pr-title-checker.yml |
Updates semantic PR title check action version. |
.github/workflows/job-docker-build.yml |
Updates Docker-related actions and disables provenance in build-push steps. |
.github/workflows/job-deploy.yml |
Updates checkout action version. |
.github/workflows/job-deploy-windows.yml |
Updates checkout action version. |
.github/workflows/job-deploy-linux.yml |
Updates checkout action version. |
.github/workflows/job-cleanup-deployment.yml |
Updates checkout action version. |
.github/workflows/docker-build-and-push.yml |
Updates Docker-related actions and disables provenance in build-push steps. |
.github/workflows/Create-Release..yml |
Updates checkout + semantic-release action versions (but currently has an event/ref mismatch). |
.github/workflows/ci.yml |
Updates checkout action version. |
.github/workflows/broken-links-checker.yml |
Updates changed-files + lychee action versions. |
.github/workflows/azure-dev.yml |
Updates checkout action version. |
.github/workflows/azd-template-validation.yml |
Updates checkout action version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
changed the title
- Fix lottie-react double-default CJS interop in processPage and progressModal - Fix highlight.js language registration with unwrap helper for rolldown - Remove sql-formatter and sql language registration - Switch Dockerfile build stage to node:20-slim (rolldown needs Node >=20.19) - Use npm ci instead of npm install in Dockerfile - Revert react-syntax-highlighter to v15.6.1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep our dependabot package versions, take dev code changes. Reapplied lottie-react unwrap fix and kept sql-formatter removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Failure
Resolve conflicts with origin/dev (ADO #41266): - backend-api/pyproject.toml: restore python-dotenv==1.2.2 pin; bump python-multipart 0.0.22 -> 0.0.27; bump urllib3 2.6.3 -> 2.7.0; add requests==2.33.0, werkzeug==3.1.4, pygments==2.20.0 to override-deps - processor/pyproject.toml: bump pytest 9.0.2 -> 9.0.3 - frontend/package.json: keep lucide-react ^1.7.0; bump mermaid ^11.13.0 -> ^11.15.0; bump uuid ^13.0.0 -> ^14.0.0 - .github/workflows/test.yml: keep actions/checkout@v6 + setup-python@v6 bumps; align processor_tests job to same versions - regenerated uv.lock and package-lock.json Validated: npm run build succeeds; uv lock resolves cleanly for both backend-api (156 packages) and processor (202 packages). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Failure
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Processor Coverage Report •
|
Shreyas-Microsoft
had a problem deploying
to
production
GitHub Actions
Failure
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Previous --legacy-peer-deps regen omitted typescript@6.0.3 (peer dep of rollup-plugin-dts) from the lockfile, causing `npm ci` to fail inside the frontend Dockerfile with "Missing: typescript@6.0.3 from lock file". Regenerated with --include=peer so all peer deps are pinned and CI's build-and-push (ContentProcessorWeb) succeeds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
- Create-Release..yml: drop misleading ref override on push trigger (github.event.workflow_run.head_sha is empty on push events; let actions/checkout default to the pushed SHA) - batchView.tsx: register SQL language for the Light SyntaxHighlighter so getFileLanguageAndType()='sql' renders correctly - modernizationPage.tsx: register SQL language for the Light SyntaxHighlighter so translated SQL is highlighted instead of potentially erroring on the unregistered language - processPage.tsx: fix comment typo (missing space before hyphen) - package.json: declare highlight.js as a direct dependency since the Light highlighter imports highlight.js/lib/languages/* directly; pinned to ^10.7.3 to match the version already resolved transitively via react-syntax-highlighter Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Applies all 4 open dependabot PRs (#167, #168, #169, #214) into a single validated branch, on top of a down-merge of
mainanddevintodependabotchanges.Refs ADO work item #41266.
Commits
mainintodependabotchangesdevbackend-apibumps (uv lock refreshed)processorbumps (uv lock refreshed)Validation
fastmcpv2->v3 API verified across 4mcp_servermodulesnpm install+npm run buildsucceeded (exit 0)Skipped with rationale
azure-ai-agents@1.2.0b6(processor) -agent-framework==1.0.0b260107pins b5azure-identity@1.25.3(processor) - current 1.26.0b1 is already newereslint@10+@eslint/js@10-eslint-plugin-react@7.37.5andeslint-plugin-react-hooks@7.1.1peer-cap at eslint ^9; no compatible plugins yetaxios@1.14.0- current 1.15.0 already newerjs-yaml/lottie-react/react-markdown- already at targetNotable major bumps in PR #169
@types/react,react-dom)@azure/msal-browser/@azure/msal-react4 -> 5vite6 -> 8tailwindcss3 -> 4 (added@tailwindcss/postcss, updatedpostcss.config.js)uuid11 -> 13Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information