Skip to content

Comments

Bump express, typescript, re2, @types/react in pnpm verification test resources#1665

Merged
JamieMagee merged 2 commits intomainfrom
fix/update-pnpm-verification-deps
Feb 18, 2026
Merged

Bump express, typescript, re2, @types/react in pnpm verification test resources#1665
JamieMagee merged 2 commits intomainfrom
fix/update-pnpm-verification-deps

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Feb 18, 2026

Bumps dependencies in both pnpm v5 and v6 verification test fixtures:

  • express 4.17.2 -> 4.22.1
  • typescript 4.5.5 -> 4.9.5
  • @types/react 17.0.38 -> 17.0.91
  • re2 1.17.3 -> 1.23.3

Same dep updates as the npm PR, applied to the pnpm lockfiles.

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates dependencies in pnpm verification test fixtures for both pnpm v5 and v6. The changes ensure that the test resources use newer versions of several npm packages, which helps maintain test relevance and ensures the component detection tooling correctly handles updated dependency graphs.

Changes:

  • Updated 4 dependencies to newer versions: express (4.17.2 → 4.22.1), typescript (4.5.5 → 4.9.5), @types/react (17.0.38 → 17.0.91), and re2 (1.17.3 → 1.23.3)
  • Regenerated pnpm lockfiles for both v5 and v6 formats with corresponding transitive dependency updates

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/package.json Updated dependency versions in package.json for pnpm v5 test fixture
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/pnpm-lock.yaml Regenerated lockfile (format 5.4) with updated dependencies and transitive dependencies
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/package.json Updated dependency versions in package.json for pnpm v6 test fixture
test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/pnpm-lock.yaml Regenerated lockfile (format 6.1) with updated dependencies and transitive dependencies
Files not reviewed (2)
  • test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v5/pnpm-lock.yaml: Language not supported
  • test/Microsoft.ComponentDetection.VerificationTests/resources/pnpm/v6/pnpm-lock.yaml: Language not supported

@codecov
Copy link

codecov bot commented Feb 18, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.8%. Comparing base (2ecde67) to head (fbac6fd).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files
@@          Coverage Diff          @@
##            main   #1665   +/-   ##
=====================================
  Coverage   90.8%   90.8%           
=====================================
  Files        451     451           
  Lines      40148   40148           
  Branches    2443    2443           
=====================================
  Hits       36461   36461           
  Misses      3188    3188           
  Partials     499     499           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

@JamieMagee
Copy link
Member Author

JamieMagee commented Feb 18, 2026

The snapshot verification failure is expected.

The snapshot-verify workflow downloads the baseline scan output from main (built against the old lockfiles) and compares it to a fresh scan of this PR's updated lockfiles. Since we bumped express, typescript, @types/react, and re2, the transitive dependency trees changed significantly — so the detected component sets no longer match.

Specifically:

  • ~35 packages disappeared from the old dependency trees: @gar/promisify, @npmcli/move-file, aggregate-error, are-we-there-yet, delegates, gauge, humanize-ms, indent-string, inflight, npmlog, once, rimraf, wrappy, etc. These were transitive deps of older express/re2/node-gyp versions.

  • ~25 new packages appeared: @isaacs/fs-minipass, @npmcli/agent, call-bind-apply-helpers, dunder-proto, es-errors, es-object-atoms, fdir, get-intrinsic, gopd, hasown, picomatch, proc-log, side-channel, tinyglobby, etc. These come from the updated dependency trees.

  • Many packages changed versions: accepts 1.3.7→1.3.8, body-parser 1.19.1→1.20.4, cookie 0.4.1→0.7.2, depd 1.1.2→2.0.0, statuses 1.5.0→2.0.2, and so on.

The CheckManifestFiles_ExcludingExperimentalDetectors test catches all of this, and CheckDetectorsRunTimesAndCounts likely flags the different component count too.

This is the same situation as the yarn (#1667), maven (#1661), and nuget (#1663) resource bumps. Once merged, snapshot-publish runs on main and publishes a new baseline that includes these updated lockfiles.

@JamieMagee JamieMagee enabled auto-merge (squash) February 18, 2026 21:31
@JamieMagee JamieMagee merged commit c857e69 into main Feb 18, 2026
25 of 28 checks passed
@JamieMagee JamieMagee deleted the fix/update-pnpm-verification-deps branch February 18, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants