Skip to content

chore(deps): bump lodash-es to ^4.18.1 across all frontend workspaces#41774

Merged
hainenber merged 3 commits into
masterfrom
chore/consolidate-lodash-es-4.18.1
Jul 5, 2026
Merged

chore(deps): bump lodash-es to ^4.18.1 across all frontend workspaces#41774
hainenber merged 3 commits into
masterfrom
chore/consolidate-lodash-es-4.18.1

Conversation

@rusackas

@rusackas rusackas commented Jul 5, 2026

Copy link
Copy Markdown
Member

SUMMARY

superset-frontend is an npm-workspaces monorepo with a single shared package-lock.json. Dependabot opened eight separate PRs (#41559, #41560, #41561, #41562, #41563, #41564, #41568, #41569) each bumping lodash-es from ^4.17.21 to ^4.18.1 in one workspace at a time. Every one of them fails CI because bumping the dep in some workspaces while others stay at ^4.17.21 leaves the shared lockfile inconsistent.

This PR does it in one clean pass: it bumps every remaining lodash-es: ^4.17.21 declaration to ^4.18.1 across all 11 workspaces and regenerates the single lockfile so it's internally consistent. It also covers the root superset-frontend package, superset-core, and preset-chart-deckgl, which dependabot didn't open PRs for. superset-ui-core, generator-superset, and docs were already on 4.18.1 and are left untouched.

Supersedes and will close:

TESTING INSTRUCTIONS

Lockfile regenerated with npm install; frontend CI validates install/build.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

Consolidates the per-workspace dependabot bumps (#41559, #41560, #41561, #41562, #41563, #41564, #41568, #41569) into one PR with a single consistent lockfile regen, which the split PRs couldn't achieve. Also covers the root package, superset-core, and preset-chart-deckgl that dependabot missed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dosubot dosubot Bot added dependencies:npm javascript Dependabot - Pull requests that update Javascript code labels Jul 5, 2026
@bito-code-review

bito-code-review Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.70%. Comparing base (8229c01) to head (303a954).

Additional details and impacted files
@@           Coverage Diff           @@
##           master   #41774   +/-   ##
=======================================
  Coverage   64.70%   64.70%           
=======================================
  Files        2686     2686           
  Lines      148626   148626           
  Branches    34298    34298           
=======================================
+ Hits        96164    96171    +7     
+ Misses      50697    50693    -4     
+ Partials     1765     1762    -3     
Flag Coverage Δ
javascript 69.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@hainenber

Copy link
Copy Markdown
Contributor

@rusackas this PR would prevent Dependabot from partially updating common deps like lodash-es that would inevitably fail CI, wasting precious resources.

hainenber added 2 commits July 5, 2026 21:02
Signed-off-by: hainenber <dotronghai96@gmail.com>
Signed-off-by: hainenber <dotronghai96@gmail.com>
@hainenber hainenber merged commit 3303d4e into master Jul 5, 2026
66 checks passed
@hainenber hainenber deleted the chore/consolidate-lodash-es-4.18.1 branch July 5, 2026 14:29
@bito-code-review

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies:npm javascript Dependabot - Pull requests that update Javascript code packages plugins size/S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants