Skip to content

chore(deps): update tutorial validation dependencies#100

Open
deniswsrosa wants to merge 1 commit into
mainfrom
chore/dependency-update-20260706-t-fa1387da
Open

chore(deps): update tutorial validation dependencies#100
deniswsrosa wants to merge 1 commit into
mainfrom
chore/dependency-update-20260706-t-fa1387da

Conversation

@deniswsrosa

Copy link
Copy Markdown

Summary

Updates direct npm dependencies used by the tutorial validation tooling:

  • cheerio from ^1.1.2 to ^1.2.0
  • js-yaml from ^4.1.0 to ^5.2.1
  • marked from ^17.0.1 to ^18.0.5
  • Regenerates package-lock.json with npm using the existing package manager

Linked Hermes Kanban task: t_fa1387da

Updated dependencies

Ecosystem Dependency Previous Updated Type Notes
npm cheerio ^1.1.2 ^1.2.0 dependency Latest stable; requires Node >=20.18.1, compatible with CI Node 22
npm js-yaml ^4.1.0 ^5.2.1 dependency Latest stable
npm marked ^17.0.1 ^18.0.5 dependency Latest stable; requires Node >=20, compatible with CI Node 22

Skipped / constraint-limited dependencies

Dependency Current Latest Reason
chalk 4.1.2 5.6.2 Skipped because chalk@5 is ESM-only (type: module) while the validation scripts currently use CommonJS require('chalk').
fs 0.0.1-security 0.0.1-security Already current.
path 0.12.7 0.12.7 Already current.

Validation

Commands run locally on Node v22.23.1 and npm 10.9.8:

npm install
npm ci
npm run test:frontmatter
npm outdated --json

Outcomes:

Check Result Notes
Install / lockfile regeneration Passed npm install completed; 38 packages audited; 0 vulnerabilities reported by npm audit.
Clean CI-style install Passed npm ci completed successfully.
Frontmatter validation Passed npm run test:frontmatter completed with Test Completed: SUCCESS.
Generic npm test Not applicable Existing package script is the npm placeholder echo "Error: no test specified" && exit 1; repository CI uses npm run test:frontmatter directly.
Browser evidence Not applicable This repository change only affects validation tooling dependencies for markdown/tutorial content; no runnable web surface was changed.
Swagger/OpenAPI evidence Not applicable No API surface is built or changed by this repository update.

Risk notes

  • cheerio and marked both require modern Node versions; the repository workflow already runs Node 22.
  • marked is a major-version update. The existing require('marked') usage was validated by npm run test:frontmatter after the update.
  • chalk@5 was intentionally not updated because it would require an ESM migration in the current CommonJS test script.

Rollback

Revert this PR to restore the previous package.json and package-lock.json dependency versions.

@deniswsrosa
deniswsrosa requested a review from a team as a code owner July 6, 2026 18:27

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies in package.json and package-lock.json, including cheerio, js-yaml, and marked. The reviewer identified a potential issue with upgrading js-yaml to v5.x, as it introduces a breaking change where yaml.load() throws an exception on empty or whitespace-only sources, which could crash the validation script. Reverting js-yaml to ^4.1.0 or adding a guard is recommended.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread package.json
"fs": "^0.0.1-security",
"js-yaml": "^4.1.0",
"marked": "^17.0.1",
"js-yaml": "^5.2.1",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Upgrading js-yaml to v5.x introduces a breaking change where yaml.load() throws a YAMLException when parsing empty or whitespace-only sources (whereas v4.x safely returned undefined or null).

In utils/extract_frontmatter_from_tutorial.js, the extractFrontmatterFromContent function passes the extracted frontmatter match directly to yaml.load(match[1]). If a markdown file contains empty frontmatter (e.g., --- followed immediately by ---), match[1] will be an empty string "". Under js-yaml v5.x, this will throw an exception and crash the validation script (test-markdown-frontmatter.js).

To prevent this, either revert to js-yaml ^4.1.0 or update utils/extract_frontmatter_from_tutorial.js to guard against empty/whitespace-only frontmatter before calling yaml.load().

Suggested change
"js-yaml": "^5.2.1",
"js-yaml": "^4.1.0",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant