Update patch-updates#297
Conversation
There was a problem hiding this comment.
LGTM — patch-level dependency bumps from Renovate (bokeh 3.9.1, @types/node 20.19.43, vitest 4.1.9).
Extended reasoning...
Overview
This is a Renovate-generated automerge PR that bumps three dependencies to patch releases: @types/node 20.19.41 → 20.19.43 and vitest 4.1.8 → 4.1.9 in pnpm-lock.yaml, and bokeh 3.9.0 → 3.9.1 in template/requirements.txt. The lockfile churn is the expected fan-out (transitive rollup/@vitest/* pins refreshed to match vitest 4.1.9), not manual edits.
Security risks
None identified. @types/node is TypeScript type definitions with no runtime impact. Bokeh and vitest patch releases carry only bug fixes per the release notes; no known CVEs are being introduced.
Level of scrutiny
Low. Renovate patch bumps with automerge enabled and no first-party code changes — the review target is really "did the lockfile stay consistent and are the version bumps within a single patch band?" Both hold.
Other factors
No bugs surfaced by the hunting pass, no reviewer comments outstanding, and the PR touches only dependency manifests — no application code, config, or infra.
This PR contains the following updates:
20.19.41→20.19.43==3.9.0→==3.9.14.1.8→4.1.9Release Notes
bokeh/bokeh (bokeh)
v3.9.1Compare Source
vitest-dev/vitest (vitest)
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.