chore(deps): bump changesets/action from 1.7.0 to 1.8.0#2052
chore(deps): bump changesets/action from 1.7.0 to 1.8.0#2052dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [changesets/action](https://github.com/changesets/action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/changesets/action/releases) - [Changelog](https://github.com/changesets/action/blob/main/CHANGELOG.md) - [Commits](changesets/action@6a0a831...63a615b) --- updated-dependencies: - dependency-name: changesets/action dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
github_actions
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — routine Dependabot bump of a SHA-pinned action.
Extended reasoning...
Overview
This PR updates the pinned commit SHA for changesets/action from v1.7.0 (6a0a831) to v1.8.0 (63a615b) in two places within .github/workflows/release.yml — the version-PR job and the publish job. No other lines change.
Security risks
None introduced by this diff. The action remains pinned to a full commit SHA (not a mutable tag), which is the recommended supply-chain practice. The upstream v1.8.0 release adds an opt-in prDraft input and two cwd-handling bugfixes; this workflow uses neither prDraft nor cwd, so the new behavior is inert for our configuration. Permissions, tokens, and the OIDC publish path are untouched.
Level of scrutiny
Low. This is a mechanical Dependabot minor-version bump of release tooling, not SDK source. It does not touch protocol code, public API surface, types, or auth paths. No changeset is needed since it doesn't affect any published package.
Other factors
The only specific CODEOWNERS entries are for auth code; .github/workflows/ falls under the default repo-wide owner only. The bug-hunting system found nothing. Per REVIEW.md's CI/Actions guidance, I verified the upstream changelog rather than speculating: the changes are additive/opt-in and the two patched code paths (cwd parameter handling) don't apply here.
Bumps changesets/action from 1.7.0 to 1.8.0.
Release notes
Sourced from changesets/action's releases.
Changelog
Sourced from changesets/action's changelog.
... (truncated)
Commits
63a615bv1.8.084c2432Version Packages (#598)f5dbf72Add draft mode support (#258)91b9111Protect publishes with env gate (#610)d4c53c2FixCODEOWNERSpattern2ae596fTweak CI setup (#599)0784b0eAddCODEOWNERS81b3f61Fixed.changesetstate being picked for the version command whencwdpara...6002dbdFix reading.changesetdirectory from path provided incwdparameter (#502)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)