chore(deps): bump dotenv from 16.6.1 to 17.4.2 in /agent-sdk#76
chore(deps): bump dotenv from 16.6.1 to 17.4.2 in /agent-sdk#76dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "@x402/evm": "^2.12.0", | ||
| "@x402/fetch": "^2.12.0", | ||
| "dotenv": "^16.5.0", | ||
| "dotenv": "^17.4.2", |
There was a problem hiding this comment.
🔴 Lockfile not updated after major version bump — package.json and pnpm-lock.yaml are inconsistent
The package.json specifier was changed to "dotenv": "^17.4.2" but agent-sdk/pnpm-lock.yaml:20-22 still contains the old specifier ^16.5.0 resolving to 16.6.1. Version 16.6.1 cannot satisfy ^17.4.2 (semver major mismatch), so the lockfile is broken. Running pnpm install --frozen-lockfile (as CI typically does) will fail because the lockfile doesn't match package.json. This also violates the AGENTS.md mandatory pre-commit rule to run pnpm install and pnpm check:repo-safety before committing, and the repository's requirement to remain "reproducible in CI".
Prompt for agents
The pnpm-lock.yaml in agent-sdk/ was not regenerated after the dotenv version bump from ^16.5.0 to ^17.4.2. The lockfile still references dotenv@16.6.1 with specifier ^16.5.0, which is inconsistent with the new package.json. To fix: run `cd agent-sdk && pnpm install` to regenerate the lockfile with the correct resolved version of dotenv 17.x. If dotenv 17.x does not exist on npm, the specifier itself is wrong and should be corrected to a version that actually exists. The updated pnpm-lock.yaml must be committed alongside the package.json change.
Was this helpful? React with 👍 or 👎 to provide feedback.
| "@x402/evm": "^2.12.0", | ||
| "@x402/fetch": "^2.12.0", | ||
| "dotenv": "^16.5.0", | ||
| "dotenv": "^17.4.2", |
There was a problem hiding this comment.
🚩 Major version bump (16→17) may introduce breaking changes to dotenv/config import
Both agent-sdk/agentSimulator.js:1 and agent-sdk/payVendor.js:1 use import "dotenv/config" which is the standard side-effect import pattern for dotenv. A major version bump (16→17) could potentially change the module's export structure or behavior (e.g., how .env files are located, encoding handling, or subpath exports). Since the lockfile wasn't updated and tests weren't run, there's no evidence this was verified to work. If dotenv v17 removed or renamed the dotenv/config subpath export, both scripts would fail at import time.
Was this helpful? React with 👍 or 👎 to provide feedback.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
mandate402 | 122a691 | Commit Preview URL Branch Preview URL |
May 26 2026, 08:54 AM |
|
@dependabot rebase |
Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.6.1 to 17.4.2. - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v16.6.1...v17.4.2) --- updated-dependencies: - dependency-name: dotenv dependency-version: 17.4.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/agent-sdk/dotenv-17.4.2
branch
from
6da57fe to
122a691
Compare
1 participant
Bumps dotenv from 16.6.1 to 17.4.2.
Changelog
Sourced from dotenv's changelog.
... (truncated)
Commits
f116f7017.4.23a81612fix visual order of faq13f55a8Merge branch 'skill'4bbbf73reorganize faqc3da64bMerge pull request #1009 from motdotla/skill6f743b1update sourcefc2c624update skill972315bTighten up skill2795fcereorganize faqd5495d4adjust skill