From 5d6581b3a25258a54785a8f3f16241ca1cd41ed0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 06:16:44 +0000 Subject: [PATCH 1/4] chore(deps): bump elysia from 1.4.18 to 1.4.27 in /agent-service Bumps [elysia](https://github.com/elysiajs/elysia) from 1.4.18 to 1.4.27. - [Release notes](https://github.com/elysiajs/elysia/releases) - [Changelog](https://github.com/elysiajs/elysia/blob/main/CHANGELOG.md) - [Commits](https://github.com/elysiajs/elysia/compare/1.4.18...1.4.27) --- updated-dependencies: - dependency-name: elysia dependency-version: 1.4.27 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- agent-service/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent-service/package.json b/agent-service/package.json index 608981e0a45..e4df180483a 100644 --- a/agent-service/package.json +++ b/agent-service/package.json @@ -20,7 +20,7 @@ "ai": "5.0.108", "ajv": "8.10.0", "dagre": "0.8.5", - "elysia": "1.4.18", + "elysia": "1.4.27", "pino": "10.3.1", "rxjs": "7.8.2", "zod": "3.25.76" From 88ea34b1290efa424b313bf6f5da94dbdd1bb2a0 Mon Sep 17 00:00:00 2001 From: Xinyuan Lin Date: Tue, 5 May 2026 23:30:03 -0700 Subject: [PATCH 2/4] chore(deps): refresh bun.lock for elysia 1.4.27 Dependabot opened this PR via the npm_and_yarn ecosystem, which leaves bun.lock untouched. CI's `bun install --production --frozen-lockfile` therefore failed with "lockfile had changes, but lockfile is frozen". Regenerated bun.lock so the resolved elysia matches package.json (1.4.27) and the transitive exact-mirror peer (0.2.5 -> 0.2.7) tracks elysia 1.4.23's changelog. --- agent-service/bun.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/agent-service/bun.lock b/agent-service/bun.lock index 8a1953f46b2..1b4f9f59a68 100644 --- a/agent-service/bun.lock +++ b/agent-service/bun.lock @@ -10,7 +10,7 @@ "ai": "5.0.108", "ajv": "8.10.0", "dagre": "0.8.5", - "elysia": "1.4.18", + "elysia": "1.4.27", "pino": "10.3.1", "rxjs": "7.8.2", "zod": "3.25.76", @@ -128,7 +128,7 @@ "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="], - "elysia": ["elysia@1.4.18", "", { "dependencies": { "cookie": "^1.1.1", "exact-mirror": "0.2.5", "fast-decode-uri-component": "^1.0.1", "memoirist": "^0.4.0" }, "peerDependencies": { "@sinclair/typebox": ">= 0.34.0 < 1", "@types/bun": ">= 1.2.0", "file-type": ">= 20.0.0", "openapi-types": ">= 12.0.0", "typescript": ">= 5.0.0" }, "optionalPeers": ["@types/bun", "typescript"] }, "sha512-A6BhlipmSvgCy69SBgWADYZSdDIj3fT2gk8/9iMAC8iD+aGcnCr0fitziX0xr36MFDs/fsvVp8dWqxeq1VCgKg=="], + "elysia": ["elysia@1.4.27", "", { "dependencies": { "cookie": "^1.1.1", "exact-mirror": "^0.2.7", "fast-decode-uri-component": "^1.0.1", "memoirist": "^0.4.0" }, "peerDependencies": { "@sinclair/typebox": ">= 0.34.0 < 1", "@types/bun": ">= 1.2.0", "file-type": ">= 20.0.0", "openapi-types": ">= 12.0.0", "typescript": ">= 5.0.0" }, "optionalPeers": ["@types/bun", "typescript"] }, "sha512-2UlmNEjPJVA/WZVPYKy+KdsrfFwwNlqSBW1lHz6i2AHc75k7gV4Rhm01kFeotH7PDiHIX2G8X3KnRPc33SGVIg=="], "end-of-stream": ["end-of-stream@1.4.5", "", { "dependencies": { "once": "^1.4.0" } }, "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg=="], @@ -136,7 +136,7 @@ "eventsource-parser": ["eventsource-parser@3.0.6", "", {}, "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg=="], - "exact-mirror": ["exact-mirror@0.2.5", "", { "peerDependencies": { "@sinclair/typebox": "^0.34.15" }, "optionalPeers": ["@sinclair/typebox"] }, "sha512-u8Wu2lO8nio5lKSJubOydsdNtQmH8ENba5m0nbQYmTvsjksXKYIS1nSShdDlO8Uem+kbo+N6eD5I03cpZ+QsRQ=="], + "exact-mirror": ["exact-mirror@0.2.7", "", { "peerDependencies": { "@sinclair/typebox": "^0.34.15" }, "optionalPeers": ["@sinclair/typebox"] }, "sha512-+MeEmDcLA4o/vjK2zujgk+1VTxPR4hdp23qLqkWfStbECtAq9gmsvQa3LW6z/0GXZyHJobrCnmy1cdeE7BjsYg=="], "fast-copy": ["fast-copy@4.0.3", "", {}, "sha512-58apWr0GUiDFM8+3afrO6eYwJBn9ZAhDOzG3L+/9llab/haCARS2UIfffmOurYLwbgDRs8n0rfr6qAAPEAuAQw=="], From de2373d148305310531c081bdaee1762b2d6ccbb Mon Sep 17 00:00:00 2001 From: Xinyuan Lin Date: Tue, 5 May 2026 23:30:08 -0700 Subject: [PATCH 3/4] ci(dependabot): configure bun ecosystem for /agent-service The repo had no dependabot.yml, so version updates fell back to the default npm_and_yarn flow that ignores bun.lock. Configure the bun ecosystem (Dependabot supports it as of bun >= 1.2.5) so future agent-service updates keep package.json and bun.lock in sync. --- .github/dependabot.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..7fa277b31a9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# agent-service uses Bun (bun.lock). The npm/yarn updater leaves bun.lock +# stale, so version updates run through the bun ecosystem instead. Requires +# Dependabot bun support (>= v1.2.5). +version: 2 +updates: + - package-ecosystem: "bun" + directory: "/agent-service" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" From 3f6dd08412ef9853d811f192a99a6c2a34437e66 Mon Sep 17 00:00:00 2001 From: Xinyuan Lin Date: Tue, 5 May 2026 23:35:15 -0700 Subject: [PATCH 4/4] chore(deps): update agent-service LICENSE-binary for elysia 1.4.27 Pair to the bun.lock refresh: bin/licensing/check_binary_deps.py compares LICENSE-binary entries to the bundled versions and fails on drift. The elysia bump and its transitive exact-mirror 0.2.5 -> 0.2.7 left two stale entries; refresh both so PR (--ignore-transitive-version) and strict post-merge checks pass. Verified locally: bun install --production --frozen-lockfile bun run bin/collect-licenses.ts > dist/3rdpartylicenses.json python3 ../bin/licensing/check_binary_deps.py [--ignore-transitive-version] \ agent-npm dist/3rdpartylicenses.json -> OK: 57 agent-service npm packages match LICENSE-binary. --- agent-service/LICENSE-binary | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agent-service/LICENSE-binary b/agent-service/LICENSE-binary index 60c33ca64d4..e279fadadfb 100644 --- a/agent-service/LICENSE-binary +++ b/agent-service/LICENSE-binary @@ -241,9 +241,9 @@ Agent service npm packages: - cookie@1.1.1 - dagre@0.8.5 - debug@4.4.3 - - elysia@1.4.18 + - elysia@1.4.27 - eventsource-parser@3.0.6 - - exact-mirror@0.2.5 + - exact-mirror@0.2.7 - fast-decode-uri-component@1.0.1 - fast-deep-equal@3.1.3 - file-type@21.1.1