Skip to content

chore: upgrade js-yaml 3.x → 4.x and csv-parser 2.x → 3.x in csv-to-pg#779

Merged
pyramation merged 1 commit intomainfrom
devin/1772612489-csv-to-pg-upgrades
Mar 4, 2026
Merged

chore: upgrade js-yaml 3.x → 4.x and csv-parser 2.x → 3.x in csv-to-pg#779
pyramation merged 1 commit intomainfrom
devin/1772612489-csv-to-pg-upgrades

Conversation

@pyramation
Copy link
Contributor

@pyramation pyramation commented Mar 4, 2026

Summary

Bumps two major dependencies in the csv-to-pg package:

Package From To Breaking changes
js-yaml ^3.14.0 (resolved 3.14.2) ^4.1.0 (resolved 4.1.1) safeLoad()load(), unsafe types removed from default schema
csv-parser ^2.3.3 (resolved 2.3.5) ^3.2.0 (resolved 3.2.0) Minimum Node bumped to 10; streaming API unchanged

No source code changes were needed. The codebase already uses import { load as parseYAML } from 'js-yaml' (the v4 API name), and csv-parser is used via the standard createReadStream().pipe(csv(opts)) streaming pattern which is unchanged in v3.

The csv-parser upgrade also cleans up transitive deps — it no longer pulls in minimist or through2@3.0.2.

Review & Testing Checklist for Human

  • js-yaml behavior change: In v3, load() was the unsafe variant (allowed !!js/function, !!js/regexp, etc). In v4, load() is the safe variant (equivalent to old safeLoad()). If any YAML config files consumed by csv-to-pg's readConfig() use custom JS types, they will now throw. Verify your YAML configs only use standard YAML types.
  • Lockfile @types/node drift: The lockfile shows several transitive resolutions shifting from @types/node@22.19.11 to @types/node@25.3.3 (in ts-node, grafserv, postgraphile resolution strings). This appears to be a pnpm lockfile artifact from regeneration, not an intentional change. Verify these don't introduce unwanted Node 25 types into packages that should target Node 22.
  • Run csv-to-pg tests: cd packages/csv-to-pg && pnpm test — CI will cover this, but worth a manual check since both upgrades are major versions with no source code changes to validate compatibility.

Notes

  • Build passed locally with pnpm build
  • CI not yet verified — waiting for checks to complete
  • The csv-parser v3 upgrade has been in production for many projects (it's a mature package), and the streaming API is backward-compatible

Requested by: @pyramation
Link to Devin Session

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Mar 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@pyramation pyramation merged commit 0df387d into main Mar 4, 2026
42 checks passed
@pyramation pyramation deleted the devin/1772612489-csv-to-pg-upgrades branch March 4, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pyramation pyramation

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyramation