chore(deps): drop unused npm-check-updates devDep to clear tar alerts#1306
chore(deps): drop unused npm-check-updates devDep to clear tar alerts#1306mishushakov merged 3 commits intomainfrom
Conversation
Resolves the remaining 6 Dependabot alerts for tar (high). tar@6.2.1 was pulled in transitively via npm-check-updates@16 -> pacote@15 / cacache -> tar@^6. Bumping ncu to v22 (which has no transitive deps) eliminates the tar@6 chain; only tar@7.5.12 remains in the lock, satisfying all advisories. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR SummaryLow Risk Overview As a result, a large set of lockfile-only transitive packages are removed (notably the older Reviewed by Cursor Bugbot for commit e54d550. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
Package ArtifactsBuilt from 61c0830. Download artifacts from this workflow run. JS SDK ( npm install ./e2b-2.19.4-mishushakov-dependabot-alerts.0.tgzCLI ( npm install ./e2b-cli-2.10.2-mishushakov-dependabot-alerts.0.tgzPython SDK ( pip install ./e2b-2.20.3+mishushakov.dependabot.alerts-py3-none-any.whl |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b0a7bc8ddf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, devDependency bump to clear tar Dependabot alerts.
Extended reasoning...
Overview
This PR bumps the npm-check-updates devDependency in packages/js-sdk from ^16.14.20 to ^22.0.1 and refreshes pnpm-lock.yaml accordingly. The motivation is to eliminate the transitive tar@6.x chain (pulled in via pacote@15/cacache) that triggered six high-severity Dependabot alerts. The new ncu v22 has zero runtime deps, so the lockfile delta is large but mechanical (removing the entire transitive subtree).
Security risks
None. npm-check-updates is a developer CLI for checking for newer dependency versions — it's not bundled into the published SDK and doesn't run in production code paths. The change is strictly security-positive (removes vulnerable transitive deps from the dev environment).
Level of scrutiny
Low scrutiny appropriate. This is a single-line devDependency version bump in package.json plus the corresponding lockfile churn. There is no logic change, no public API change, and no runtime impact. The author verified engine compatibility (Node 20.19.5 in CI satisfies ncu v22's ^20.19.0 || ^22.12.0 || >=24.0.0), and ran lint/typecheck/format plus tar-related unit tests successfully.
Other factors
The bug hunting system found no issues. The cursor bot also flagged this as low risk. The only nit is the missing changeset, which is expected/correct here since this is a dev-only change with no user-facing version bump.
ncu v22 requires Node ^20.19.0 || ^22.12.0 || >=24, which is stricter than the SDK's declared "node": ">=20" engine. With engine-strict=true in .npmrc, that breaks installs for devs on Node 20.0-20.18. v20.0.2 declares node: >=20.0.0 (matches our floor exactly), still ships with zero transitive deps, and keeps tar@6 out of the lock. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
mishushakov
changed the title
The package was declared in packages/js-sdk/package.json but never invoked - no script, CI workflow, or doc references it. Removing it also drops the transitive tar@6.2.1 chain (via pacote/cacache), which clears the 6 remaining high-severity Dependabot alerts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
mishushakov
changed the title
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e54d550. Configure here.
## Summary Adds a patch changeset for the `e2b` JS SDK to cover #1306 (commit bd99b23), which removed the unused `npm-check-updates` devDependency to clear the remaining `tar@6` Dependabot security alerts. The original PR landed without a changeset, so the next release would skip publishing the SDK despite the `package.json` change. This file ensures the dependency cleanup gets a proper patch bump. ## Test plan - [x] `.changeset/drop-npm-check-updates.md` follows the repo's existing changeset format (frontmatter + summary line) - [ ] Changesets bot picks up the entry on the PR Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2 participants
Summary
Resolves the remaining 6 high-severity Dependabot alerts for
taron the default branch.tar@6.2.1was being pulled in transitively vianpm-check-updates@16 -> pacote@15 / cacache -> tar@^6, and Dependabot's<= 7.5.10ranges include 6.x semver-wise. Sincenpm-check-updateswas declared as adevDependencybut never actually invoked anywhere (no script, CI workflow, or doc references it), removing it entirely is cleaner than bumping it — alerts cleared with zero risk of regression.After removal, the lock contains only
tar@7.5.12, which satisfies all six advisories.Test plan
pnpm run lint(js-sdk + cli)pnpm run typecheck(js-sdk + cli)pnpm run format(js-sdk + cli)tests/template/utils,tests/template/uploadFile— 54 tests)🤖 Generated with Claude Code