Skip to content

chore(deps): update dependency valibot@>=0.31.0 <1.2.0 to v1.4.2#1624

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/valibot-=0.31.0-1.2.0-1.x
Open

chore(deps): update dependency valibot@>=0.31.0 <1.2.0 to v1.4.2#1624
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/valibot-=0.31.0-1.2.0-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
valibot@>=0.31.0 <1.2.0 (source) [1.4.11.4.2](https://renovatebot.com/diffs/npm/valibot@>=0.31.0 <1.2.0/1.4.1/1.4.2) age confidence

Release Notes

open-circle/valibot (valibot@>=0.31.0 <1.2.0)

v1.4.2

Compare Source

Many thanks to @​Faze-up and @​chatman-media for contributing to this release.

  • Fix word count actions to cache the Intl.Segmenter for non-primitive locales, preventing it from being recreated on every words, minWords, maxWords and notWords validation (pull request #​1521)
  • Fix flatten method to handle issue path keys that collide with Object.prototype members like toString instead of throwing a TypeError (pull request #​1522)
  • Fix intersect schema to merge object keys that collide with Object.prototype members like toString instead of failing to merge them (pull request #​1522)

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • Between 09:00 AM and 06:59 PM, Monday through Friday (* 9-18 * * 1-5)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner July 2, 2026 00:41
@changeset-bot

changeset-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 4298c58

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jul 2, 2026

Copy link
Copy Markdown

Open in StackBlitz

pnpm add https://pkg.pr.new/@tailor-platform/create-sdk@4298c58
pnpm add https://pkg.pr.new/@tailor-platform/sdk@4298c58

commit: 4298c58

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Code Metrics Report (packages/sdk)

main (95c52a3) #1624 (806f557) +/-
Coverage 71.2% 71.2% 0.0%
Code to Test Ratio 1:0.4 1:0.4 0.0
Details
  |                    | main (95c52a3) | #1624 (806f557) | +/-  |
  |--------------------|----------------|-----------------|------|
  | Coverage           |          71.2% |           71.2% | 0.0% |
  |   Files            |            428 |             428 |    0 |
  |   Lines            |          15737 |           15737 |    0 |
  |   Covered          |          11211 |           11211 |    0 |
  | Code to Test Ratio |          1:0.4 |           1:0.4 |  0.0 |
  |   Code             |         107004 |          107004 |    0 |
  |   Test             |          48418 |           48418 |    0 |

SDK Configure Bundle Size

main (95c52a3) #1624 (806f557) +/-
configure-index-size 20.32KB 20.32KB 0KB
dependency-chunks-size 47.13KB 47.13KB 0KB
total-bundle-size 67.45KB 67.45KB 0KB

Runtime Performance

main (95c52a3) #1624 (806f557) +/-
Generate Median 2,934ms 2,916ms -18ms
Generate Max 3,080ms 2,937ms -143ms
Apply Build Median 2,975ms 2,967ms -8ms
Apply Build Max 2,989ms 2,974ms -15ms

Type Performance (instantiations)

main (95c52a3) #1624 (806f557) +/-
tailordb-basic 39,480 39,480 0
tailordb-optional 4,385 4,385 0
tailordb-relation 5,103 5,103 0
tailordb-validate 742 742 0
tailordb-hooks 5,222 5,222 0
tailordb-object 12,510 12,510 0
tailordb-enum 1,450 1,450 0
resolver-basic 9,272 9,272 0
resolver-nested 26,139 26,139 0
resolver-array 18,078 18,078 0
executor-schedule 4,310 4,310 0
executor-webhook 949 949 0
executor-record 5,664 5,664 0
executor-resolver 4,108 4,108 0
executor-operation-function 937 937 0
executor-operation-gql 945 945 0
executor-operation-webhook 956 956 0
executor-operation-workflow 1,785 1,785 0

Reported by octocov

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Claude Dependency Review

📦 Update Summary

  • Library: valibot
  • Version: 1.4.1 → 1.4.2
  • Change Type: Patch

📝 Release Notes

https://github.com/open-circle/valibot/releases/tag/v1.4.2

🔐 Security Assessment

  • Risk: 🟢 Low
  • Known vulnerabilities: None found in either version. Both 1.4.1 and 1.4.2 are unaffected by CVE-2025-66020 / GHSA-vqpr-j7v3-hqw9 (ReDoS vulnerability in EMOJI_REGEX that affected versions 0.31.0-1.1.0; patched in 1.2.0)
  • Supply-chain notes: No red flags detected. Valibot maintains strong security posture with verified SSH signatures on releases. No suspicious maintainer changes, lifecycle scripts, or abnormal dependencies.

🚨 Breaking Changes

None. This is a patch release with bug fixes only.

✨ Main Changes

Version 1.4.2 includes three bug fixes:

  1. Word Count Actions Performance Fix (PR fix(sdk-codemod): flag principal migration follow-ups #1521)

    • Fixed caching issue with Intl.Segmenter for non-primitive locales
    • Previously, the segmenter was being recreated on every validation call for words, minWords, maxWords, and notWords actions
    • Now caches the segmenter, improving performance
  2. Flatten Method Prototype Collision Fix (PR refactor(cli): extract shared wait-error utilities and clean up waiter classify functions #1522)

    • Fixed TypeError when the flatten method encountered issue path keys that collided with Object.prototype members (e.g., toString)
    • Now properly handles these edge cases without throwing errors
  3. Intersect Schema Merging Fix (PR refactor(cli): extract shared wait-error utilities and clean up waiter classify functions #1522)

    • Fixed the intersect schema to properly merge object keys that collide with Object.prototype members
    • Previously would fail to merge such keys; now handles them correctly

🔍 Impact Analysis

📁 Usage Locations

No direct usage locations were found.

Context:

  • valibot is not a direct dependency of this project
  • It is an optional peer dependency of @​toiroakr/lines-db@​0.10.0, which is used by the SDK for seed data validation
  • The override in pnpm-workspace.yaml (line 41) pins valibot versions >=0.31.0 <1.2.0 to the latest safe version to prevent installation of versions affected by CVE-2025-66020
  • @​toiroakr/lines-db uses the StandardSchema interface and supports multiple validation libraries (valibot, zod, etc.) as optional peer dependencies

Files referencing @​toiroakr/lines-db:

  1. packages/sdk/package.json

    • Declares @​toiroakr/lines-db: 0.10.0 as a dependency
  2. packages/sdk/src/seed/index.ts

    import { LinesDB, ErrorFormatter } from "@​toiroakr/lines-db";
    export { defineSchema } from "@​toiroakr/lines-db";
    export type { ForeignKeyDefinition, IndexDefinition } from "@​toiroakr/lines-db";
    • Feature used: LinesDB for seed data validation
    • Impact: None. The SDK uses lines-db for JSONL seed data validation. Valibot is not directly imported or used by the SDK codebase.
  3. packages/sdk/src/plugin/builtin/seed/lines-db-processor.ts

    import type { ForeignKeyDefinition, IndexDefinition } from "@​toiroakr/lines-db";
    • Feature used: Type definitions for schema metadata
    • Impact: None. Only type imports; no runtime dependency on valibot.

✅ Recommended Actions

Merge this PR. This is a routine patch update with bug fixes only:

  • No breaking changes
  • Fixes edge cases that could cause TypeErrors in specific scenarios
  • Improves performance for word count validation actions
  • Both the old and new versions are secure (unaffected by known vulnerabilities)
  • No code changes required in this repository
  • The update maintains the security posture established by the existing override (pinning to versions ≥1.2.0 to avoid the ReDoS vulnerability)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants