Skip to content

chore(deps)(deps): bump commander from 13.1.0 to 15.0.0#1363

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/commander-15.0.0
Open

chore(deps)(deps): bump commander from 13.1.0 to 15.0.0#1363
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/commander-15.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps commander from 13.1.0 to 15.0.0.

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

  • show excess command-arguments in error message (#2384)

Fixed

  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
  • update example to use compatible character for MINGW64 (#2475)

Changed

  • Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner (#2463)

Deleted

  • Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

[14.0.3] (2026-01-31)

Added

  • Release Policy document (#2462)

Changes

  • old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date (#2462)
  • clarify typing for deprecated callback parameter to .outputHelp() (#2427)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [commander](https://github.com/tj/commander.js) from 13.1.0 to 15.0.0.
- [Release notes](https://github.com/tj/commander.js/releases)
- [Changelog](https://github.com/tj/commander.js/blob/master/CHANGELOG.md)
- [Commits](tj/commander.js@v13.1.0...v15.0.0)

---
updated-dependencies:
- dependency-name: commander
  dependency-version: 15.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Comment thread packages/cli/package.json
"@origintrail-official/dkg-storage": "workspace:*",
"@iarna/toml": "^2.2.5",
"commander": "^13",
"commander": "^15",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Bug: Commander 15 narrows the supported Node 22 range

What's wrong
This dependency bump silently raises the CLI's effective minimum runtime from Node 22+ to Node 22.12+. That breaks users who are following the current documented requirement but are on an earlier Node 22 release.

Example
A user or CI runner on Node 22.10 satisfies the documented Node.js 22+ requirement, but this dependency now resolves to commander@15.0.0, whose package declares node >=22.12.0. With engine enforcement enabled the CLI install fails; without it, the CLI runs on a runtime Commander no longer supports.

Suggested direction
Align the dependency bump with the CLI's public runtime contract: either avoid commander@15 until the project requires Node >=22.12.0 everywhere, or update the package/docs/CI runtime requirement to that exact minimum.

For Agents
Check packages/cli/package.json and the published/runtime Node support policy. Either keep Commander on a version whose engines match the advertised Node 22+ range, or explicitly raise every CLI/runtime contract to Node >=22.12.0 and add an engines field so users get a clear failure. Prove the fix by installing the CLI under the minimum documented Node version and under the intended supported minimum.

Make the new runtime boundary explicit

What's wrong
The dependency bump quietly imports commander 15's Node >=22.12.0 engine requirement, but the published CLI package does not make that runtime boundary explicit. That leaves the supported runtime split across package.json and the lockfile, which makes future dependency maintenance and release decisions harder to reason about.

Example
A maintainer looking only at packages/cli/package.json sees a normal dependency bump, but the lockfile has effectively made the CLI depend on Node >=22.12.0 through commander 15. That runtime boundary is implicit instead of owned by the CLI package metadata.

Suggested direction
If the project is intentionally moving the CLI to Node >=22.12.0, declare that in packages/cli/package.json, and preferably keep the root/package docs aligned. If that is not the intended runtime floor, avoid commander 15 here and use the latest compatible commander version instead.

Confidence note
This is based on package metadata only; if the repository already documents a Node >=22.12 runtime elsewhere, this may just need to be mirrored into the published package metadata.

For Agents
Check packages/cli/package.json and the repo-level runtime policy. Preserve the intended commander version, but either add an explicit engines.node declaration to the published CLI package if Node >=22.12.0 is now required, or keep commander on a version compatible with the existing runtime floor. Verify package metadata/lifecycle commands still install under the supported Node version.

Commander 15 raises the Node floor without validation

What's wrong
The dependency bump changes an externally visible compatibility contract, but the PR does not add validation evidence for the Node versions the repo still advertises. CI on .nvmrc value 22 can pass on a newer Node 22 release while missing install/runtime problems on earlier Node 22 versions.

Example
Run the package install/build and a CLI smoke command such as dkg --help under Node 22.0.0 or 22.11.0. The README says Node 22+ should work, but the bumped dependency declares those versions unsupported, and this PR adds no validation that the CLI still works there or that the support floor moved to 22.12.0.

Suggested direction
Decide whether the CLI now requires Node >=22.12.0. If so, update the advertised prerequisites and package metadata and add/adjust CI to run on that exact floor; if not, add a compatibility smoke test on the lowest supported Node 22 version or keep a Commander version that supports it.

Confidence note
Static review only; I did not run the test suite in the read-only sandbox.

For Agents
Look at packages/cli/package.json, README Node prerequisites, .nvmrc, and CI setup-node configuration. Either preserve Node 22.0+ support with a lowest-supported-Node install/build/CLI smoke lane, or raise the documented/package engine floor to >=22.12.0 and make CI validate that floor explicitly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant