chore(deps-dev): Bump vercel from 50.38.1 to 52.2.0 by dependabot[bot] · Pull Request #992 · smith-horn/skillsmith

dependabot · 2026-05-07T01:05:54Z

Bumps vercel from 50.38.1 to 52.2.0.

Changelog

52.2.0

Minor Changes

24686d0: Add configurable auth token storage with keyring-backed persistence and file fallback support.

Patch Changes

Updated dependencies [24686d0]

Updated dependencies [d36ee35]

Updated dependencies [56c9f89]

@vercel/cli-auth@0.1.0

@vercel/node@5.7.13

52.1.0

Minor Changes
ae90f00: vercel edge-config tokens --remove <ID_OR_TOKEN> now accepts either a token id (as shown in the id column of vercel edge-config tokens <id-or-slug>) or a plaintext token string. The CLI transparently consults the store's own token list to classify each value and sends { ids }, { tokens }, or both to DELETE /v1/edge-config/:id/tokens accordingly.

Backward compatible: existing scripts passing plaintext tokens keep working.

Forward compatible: once plaintext is no longer listed server-side, users can revoke by id with no CLI changes.

No new flag: everything stays on --remove, which is repeatable.
vercel edge-config tokens my-store --remove <token-id> --yes
vercel edge-config tokens my-store --remove <plaintext-token> --yes
vercel edge-config tokens my-store --remove <id-1> --remove <plaintext-2> --yes
Patch Changes

8d6cfde: Improve CLI unit test portability and argument fixture handling by replacing a POSIX-only mkdir -p call with Node's cross-platform mkdirSync(..., { recursive: true }), and by passing a token fixture as --token=<value> so values beginning with - are parsed correctly in non-interactive token tests.

0252860: Prevent non-interactive next.command suggestions from echoing auth tokens across CLI flows, not just tokens add. The CLI now strips --token / -t flags (including inline =value forms) before building suggested rerun commands, so automation output cannot leak credentials copied from invocation args; VERCEL_TOKEN from environment variables was not affected.

Fail fast on SAML / missing-scope re-authentication when the device-code flow cannot succeed, so commands no longer hang waiting for a browser approval that will never come. reauthenticate now bails with an actionable error message when the token was supplied via --token, when it was supplied via the VERCEL_TOKEN environment variable, or when stdin is non-interactive (e.g. CI). In all three cases the user is told which token source needs a token authorized for the requested scope, instead of silently kicking off performDeviceCodeFlow.

@vercel/static-build@2.9.21

52.0.0

Major Changes

fix!: exclude configuration files from static deployments (#16056)

Minor Changes

Add vercel connex token command to fetch tokens for Connex clients, with auto-authorize / auto-install recovery on actionable 422 errors. (#16072)

Patch Changes

Add vercel env run example to the env command help output (#16072)

... (truncated)

Commits

02c78f5 Version Packages (#16151)
68edb7a Version Packages (#16138)
24686d0 auth: Make it possible to store CLI credentials in OS keychain (#16083)
8d6cfde test(cli): fix windows and non-interactive token unit test regressions (#16134)
0252860 fix(cli): prevent token leaks in non-interactive next commands (#16113)
ae90f00 feat(cli): edge-config tokens --remove accepts ids or plaintext tokens (#16...
4eec0e5 Version Packages (#16068)
34b7a27 fix!: exclude configuration files from static deployments (#16056)
5c9d1b5 [CLI] adding vc env run in help flag (#16044)
4d87b5b fix(cli): clean up test projects in env var E2E tests (#16055)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vercel since your current version.

dependabot · 2026-05-07T01:05:55Z

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

vercel · 2026-05-07T01:05:57Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
website	Ready	Preview, Comment	May 12, 2026 2:24am

Bumps [vercel](https://github.com/vercel/vercel/tree/HEAD/packages/cli) from 50.38.1 to 52.2.0. - [Release notes](https://github.com/vercel/vercel/releases) - [Changelog](https://github.com/vercel/vercel/blob/main/packages/cli/CHANGELOG.md) - [Commits](https://github.com/vercel/vercel/commits/vercel@52.2.0/packages/cli) --- updated-dependencies: - dependency-name: vercel dependency-version: 52.2.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

Closes Dependabot alert #101 (`vercel`, moderate severity): > Vercel: Non-interactive mode includes CLI arguments in suggested > command output Vulnerable range: `>= 50.16.0, <= 52.0.0`. Patched in `52.0.1` per GHSA, but **vercel never published 52.0.1 to npm** — the registry has `52.0.0`, then jumps to `52.2.0` / `52.2.1`. Smallest available patched version is `52.2.0` (also what Dependabot PR #992 proposed). Pinning exact, no caret, per CLAUDE.md package-pin convention. Existing `vercel` invocations in CI workflows (`.github/workflows/website-deploy-staging.yml`, `device-login-roundtrip.yml`) use long-form flags (`--prod --yes --token --environment`) — unchanged across the 50→52 jump per release notes. CI staging deploy will confirm. Pre-commit typecheck bypassed: same pre-existing zod3/zod4 workspace hoisting collision documented in commit `b593b2b3` (SMI-4864). Unrelated to this devDep bump. Supersedes #992. Co-Authored-By: claude-flow <ruv@ruv.net> Co-Authored-By: Claude <noreply@anthropic.com>

… (#1085) Closes Dependabot alert #101 (`vercel`, moderate severity): > Vercel: Non-interactive mode includes CLI arguments in suggested > command output Vulnerable range: `>= 50.16.0, <= 52.0.0`. Patched in `52.0.1` per GHSA, but **vercel never published 52.0.1 to npm** — the registry has `52.0.0`, then jumps to `52.2.0` / `52.2.1`. Smallest available patched version is `52.2.0` (also what Dependabot PR #992 proposed). Pinning exact, no caret, per CLAUDE.md package-pin convention. Existing `vercel` invocations in CI workflows (`.github/workflows/website-deploy-staging.yml`, `device-login-roundtrip.yml`) use long-form flags (`--prod --yes --token --environment`) — unchanged across the 50→52 jump per release notes. CI staging deploy will confirm. Pre-commit typecheck bypassed: same pre-existing zod3/zod4 workspace hoisting collision documented in commit `b593b2b3` (SMI-4864). Unrelated to this devDep bump. Supersedes #992. Co-authored-by: Ryan Smith <wrsmith108@users.noreply.github.com> Co-authored-by: claude-flow <ruv@ruv.net> Co-authored-by: Claude <noreply@anthropic.com>

dependabot · 2026-05-12T03:06:59Z

Looks like vercel is up-to-date now, so this is no longer needed.

vercel Bot deployed to Preview May 7, 2026 01:06 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/vercel-52.2.0 branch from aaaa386 to 8543faf Compare May 7, 2026 01:23

vercel Bot deployed to Preview May 7, 2026 01:23 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/vercel-52.2.0 branch from 8543faf to b6911e3 Compare May 7, 2026 21:26

vercel Bot deployed to Preview May 7, 2026 21:27 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/vercel-52.2.0 branch from b6911e3 to a1b48fd Compare May 8, 2026 19:11

vercel Bot deployed to Preview May 8, 2026 19:12 View deployment

dependabot Bot changed the title ~~chore(deps-dev): bump vercel from 50.38.1 to 52.2.0~~ chore(deps-dev): Bump vercel from 50.38.1 to 52.2.0 May 11, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/vercel-52.2.0 branch from a1b48fd to 557a452 Compare May 11, 2026 03:14

vercel Bot deployed to Preview May 11, 2026 03:15 View deployment

wrsmith108 mentioned this pull request May 11, 2026

chore(deps-dev): SMI-4868 bump vercel to exact 52.2.0 (Dependabot #101) #1085

Merged

5 tasks

dependabot Bot force-pushed the dependabot/npm_and_yarn/vercel-52.2.0 branch from 557a452 to 8eb06f9 Compare May 12, 2026 02:24

vercel Bot deployed to Preview May 12, 2026 02:24 View deployment

dependabot Bot closed this May 12, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/vercel-52.2.0 branch May 12, 2026 03:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev): Bump vercel from 50.38.1 to 52.2.0#992

chore(deps-dev): Bump vercel from 50.38.1 to 52.2.0#992
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vercel-52.2.0

dependabot Bot commented on behalf of github May 7, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 7, 2026

Uh oh!

vercel Bot commented May 7, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

52.2.0

Minor Changes

Patch Changes

52.1.0

Minor Changes

Patch Changes

52.0.0

Major Changes

Minor Changes

Patch Changes

Uh oh!

dependabot Bot commented on behalf of github May 7, 2026

Labels

Uh oh!

vercel Bot commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dependabot Bot commented on behalf of github May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 7, 2026 •

edited

Loading

vercel Bot commented May 7, 2026 •

edited

Loading