build(deps): bump lodash-es from 4.17.21 to removed in the npm_and_yarn group across 1 directory#8
Conversation
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/npm_and_yarn-e9508a6d85
branch
from
d21ca49 to
35914df
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "react-use": "^17.6.0", | ||
| "rxjs": "7.8.2", | ||
| "streamdown": "^1.1.8" | ||
| "streamdown": "^2.1.0" |
There was a problem hiding this comment.
Major version bump removes essential rendering features
High Severity
Upgrading streamdown from ^1.1.8 to ^2.1.0 is a major version bump that removes critical dependencies including shiki (syntax highlighting), katex (LaTeX math), and mermaid (diagrams). The application has CSS specifically targeting Streamdown's code block rendering with [data-code-block] selectors, and tests verify code block functionality. Removing shiki will break syntax highlighting for code blocks that the AI generates, and any math expressions or diagrams will fail silently. The PR description misleadingly focuses on lodash-es removal while obscuring this breaking change.
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/npm_and_yarn-e9508a6d85
branch
4 times, most recently
from
f9f1594 to
3712f97
Compare
| "react-use": "^17.6.0", | ||
| "rxjs": "7.8.2", | ||
| "streamdown": "^1.1.8" | ||
| "streamdown": "^2.1.0" |
There was a problem hiding this comment.
CJK text rendering broken with unwanted spaces
Medium Severity
The streamdown 2.x upgrade removes CJK (Chinese/Japanese/Korean) language processing extensions including micromark-extension-cjk-friendly, remark-cjk-friendly, and get-east-asian-width. These extensions handle line breaks between CJK characters to prevent unwanted spaces in rendered text. Without them, markdown containing line breaks between CJK characters will display extra spaces, breaking text flow and readability for users working with Asian languages in AI responses.
Bumps the npm_and_yarn group with 1 update in the / directory: [lodash-es](https://github.com/lodash/lodash). Removes `lodash-es` --- updated-dependencies: - dependency-name: lodash-es dependency-version: dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/npm_and_yarn-e9508a6d85
branch
from
3712f97 to
3935c06
Compare
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps the npm_and_yarn group with 1 update in the / directory: lodash-es.
Removes
lodash-esDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Medium risk because this upgrades
streamdownto a new major version, which may change markdown rendering behavior and supported features in chat message display. Changes are dependency-only but touch user-visible content formatting and bundled transitive libraries.Overview
Upgrades
streamdownfrom^1.1.8to^2.1.0(and updates@modelcontextprotocol/sdkto^1.25.1), with correspondingpackage-lock.jsonrefresh.As part of the
streamdownv2 upgrade, the lockfile drops several previously-pulled transitive renderers/parsers (notablymermaid,katex/rehype-katex/remark-math,shiki, andlodash-es) and updates supporting deps likemarked,remend, andtailwind-merge.Written by Cursor Bugbot for commit 3935c06. This will update automatically on new commits. Configure here.