build(deps-dev): bump material-icon-theme from 5.34.0 to 5.35.0#3
build(deps-dev): bump material-icon-theme from 5.34.0 to 5.35.0#3dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
![codereviewlocal[bot]](https://avatars.githubusercontent.com/in/3490677?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review summary
This Dependabot PR bumps material-icon-theme from 5.34.0 to 5.35.0. The new version introduces the deprecated biome v0.3.3 package (not to be confused with @biomejs/biome) as a transitive dependency, which pulls in request-promise — a wrapper around the long-deprecated request library (deprecated since 2020). This cascades into numerous old sub-dependencies (asn1, bcrypt-pbkdf, tweetnacl, aws-sign2, caseless, etc.). Since material-icon-theme is a devDependency, production risk is low, but CI/build pipelines should be audited. Consider holding this bump until upstream removes or replaces the deprecated biome dependency.
| "eslint-plugin-react-hooks": "^7.1.1", | ||
| "eslint-plugin-react-refresh": "^0.5.2", | ||
| "material-icon-theme": "5.34.0", | ||
| "material-icon-theme": "5.35.0", |
There was a problem hiding this comment.
🔐 Security 🟡 Medium
Bumping to material-icon-theme 5.35.0 introduces the deprecated biome v0.3.3 package as a transitive dependency, which depends on request-promise (built on the deprecated and unmaintained request library). This pulls in several old crypto/auth packages. Verify this is acceptable for your threat model before merging.
| "tweetnacl": "^0.14.3" | ||
| } | ||
| }, | ||
| "node_modules/biome": { |
There was a problem hiding this comment.
🔐 Security 🟡 Medium
This biome v0.3.3 package is the old deprecated npm package (not @biomejs/biome). It depends on request-promise (uses the deprecated request library) and bluebird, both unmaintained. Upstream issue should be raised with material-icon-theme to remove or replace this dependency.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/material-icon-theme-5.35.0
branch
from
b8e2d78 to
c85bd53
Compare
There was a problem hiding this comment.
Review summary
Dependabot bumps material-icon-theme from 5.34.0 to 5.35.0. The version bump itself is low-risk (icon additions, refactors, tests). However, the updated lockfile introduces the old, unmaintained biome v0.3.3 package (not to be confused with the modern @biomejs/biome) as a transitive dependency, which pulls in the deprecated request and request-promise packages along with several legacy crypto/network packages. These are dev-only transitive dependencies but represent supply chain hygiene concerns.
Inline comments skipped
package-lock.json:3093 (LEFT): line is not commentable in the pull request diff
| "resolved": "https://registry.npmjs.org/biome/-/biome-0.3.3.tgz", | ||
| "integrity": "sha512-4LXjrQYbn9iTXu9Y4SKT7ABzTV0WnLDHCVSd2fPUOKsy1gQ+E4xPFmlY1zcWexoi0j7fGHItlL6OWA2CZ/yYAQ==", | ||
| "dev": true, | ||
| "license": "ISC", |
There was a problem hiding this comment.
🔐 Security 🟡 Medium
Transitive dependency biome v0.3.3 is the old, unmaintained biome package (last published ~2016), not the modern @biomejs/biome formatter. It pulls in deprecated packages including request and request-promise, which have known unresolved vulnerabilities and are no longer maintained.
| "safer-buffer": "~2.1.0" | ||
| } | ||
| }, | ||
| "node_modules/assert-plus": { |
There was a problem hiding this comment.
🧹 Maintainability 🔵 Low
New transitive dependency asn1 v0.2.6 added. Combined with aws-sign2, aws4, bcrypt-pbkdf, tweetnacl, and caseless, these legacy crypto/authentication packages suggest the old biome tool includes network request functionality that is unnecessary for an icon theme dev dependency.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/material-icon-theme-5.35.0
branch
3 times, most recently
from
55a49d9 to
c08cdca
Compare
There was a problem hiding this comment.
Review summary
Dependabot version bump for material-icon-theme from 5.34.0 to 5.35.0. The lockfile changes introduce several unexpected new transitive dependencies, most notably biome@0.3.3 (a 2016-era package, not the modern Biome linter) which pulls in deprecated packages like request-promise. Additionally, assert-plus lost its optional: true flag, which may cause installation issues. The removal of libc fields from multiple platform-specific optional packages suggests the lockfile was regenerated with a different npm version than the original.
| "node": ">=6.0.0" | ||
| } | ||
| }, | ||
| "node_modules/bcrypt-pbkdf": { |
There was a problem hiding this comment.
🔐 Security 🟠 High
New transitive dependency biome@0.3.3 was introduced. This is NOT the modern Biome linter/toolchain — it is a 2016-era package that depends on deprecated packages including request-promise, bluebird, and inquirer-promise. This appears to be a name-squatting or supply chain risk. Verify whether material-icon-theme@5.35.0 genuinely requires this dependency.
| "version": "0.2.6", | ||
| "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", | ||
| "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", | ||
| "dev": true, |
There was a problem hiding this comment.
🧹 Maintainability 🟡 Medium
The optional: true field was removed from assert-plus@1.0.0. This makes it a required dependency when it was previously optional, which could cause installation failures in environments where native addons cannot be compiled.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/material-icon-theme-5.35.0
branch
from
c08cdca to
54ef07c
Compare
Bumps [material-icon-theme](https://github.com/material-extensions/vscode-material-icon-theme) from 5.34.0 to 5.35.0. - [Release notes](https://github.com/material-extensions/vscode-material-icon-theme/releases) - [Changelog](https://github.com/material-extensions/vscode-material-icon-theme/blob/main/CHANGELOG.md) - [Commits](material-extensions/vscode-material-icon-theme@v5.34.0...v5.35.0) --- updated-dependencies: - dependency-name: material-icon-theme dependency-version: 5.35.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/material-icon-theme-5.35.0
branch
from
54ef07c to
cc4991a
Compare
Bumps material-icon-theme from 5.34.0 to 5.35.0.
Release notes
Sourced from material-icon-theme's releases.
Changelog
Sourced from material-icon-theme's changelog.
Commits
39b78e2chore(release): v5.35.0676e3d3chore(deps): update github actions workflows (#3454)d7274c7feat: update dependenciesc9a9d2efeat: include language IDs into the file icons9e4c98afeat: add more unit tests for writefile helper function4de4acffix: correct typos in CONTRIBUTING.md4f7f49efix: add rootDir to tsconfig.declarations.json for TypeScript 6b0ca202chore(deps): update bun packages (major) (#3412)61c98dfchore(deps): update dependency bun to v1.3.13 (#3325)559e00fchore(deps): update bun packages (#3257)