refactor: Bump basic-ftp from 5.2.0 to 5.2.2

[dependabot]

Bumps basic-ftp from 5.2.0 to 5.2.2.

Release notes

Sourced from basic-ftp's releases.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Changelog

Sourced from basic-ftp's changelog.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Commits

• e9d09d6 Bump version
• 20327d3 Move prevention of control character injection to more central place
• ba40f9d Update dev dependencies
• 6b0008b Bump version
• 2ecc8e2 Reject control character injection attempts using paths
• 515d21f Update security policy and reporting instructions
• 9744254 Link to security advisory
• See full diff in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated dependencies and lock file metadata to ensure consistent package versions.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 97daf6f7-1afd-4f5a-a8f2-983782313186

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated the basic-ftp dependency from version 5.2.0 to 5.3.0 with corresponding changes to the resolved URL and integrity checksum. Removed a nested typescript entry previously stored under node_modules/filing-cabinet/node_modules/typescript.

Changes

Cohort / File(s)	Summary
Dependency Update package-lock.json	Bumped basic-ftp from 5.2.0 to 5.3.0 with updated tarball URL and integrity hash. Removed nested typescript dependency metadata under filing-cabinet.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• refactor: Bump basic-ftp from 5.1.0 to 5.2.0 #3238: Bumped basic-ftp from 5.1.0 to 5.2.0, representing the prior version increment in the same dependency upgrade sequence.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	PR title uses valid 'refactor:' prefix and references the dependency bump, but states version 5.2.2 while the raw_summary indicates 5.3.0 was actually applied.	Update the PR title to accurately reflect the actual version bump (e.g., 'refactor: Bump basic-ftp from 5.2.0 to 5.3.0') to match the changes in package-lock.json.
Engage In Review Feedback	⚠️ Warning	Review feedback regarding a version mismatch in package-lock.json (5.3.0 vs stated 5.2.2) was not addressed through follow-up commits or discussion engagement.	Create a follow-up commit regenerating package-lock.json to match version 5.2.2, or engage the reviewer via comment explaining the version discrepancy.
Description check	⚠️ Warning	The PR uses an auto-generated Dependabot description rather than following the repository's required template structure.	Add a custom PR description following the template with explicit sections for Issue, Approach, and Tasks (even if marking tasks as N/A for dependency updates).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	PR updates basic-ftp from vulnerable 5.2.0 to 5.3.0, fixing critical control character injection vulnerabilities and using proper npm registry checksums.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/basic-ftp-5.2.2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mtrezza]

@dependabot rebase

[dependabot]

Looks like this PR is already up-to-date with alpha! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[mtrezza]

@dependabot recreate

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package-lock.json`:
- Around line 12581-12583: The lockfile shows basic-ftp@5.3.0 but the commit
88f13a3 and Dependabot metadata target 5.2.2; decide whether to accept 5.3.0 or
restore 5.2.2, then update package-lock.json accordingly: if accepting 5.3.0,
update the Dependabot/commit message and regenerate package-lock.json (run npm
install, commit the new lockfile) and update any Dependabot config referencing
basic-ftp/get-uri; if pinning 5.2.2, add an explicit resolution/override for
basic-ftp (or update get-uri constraint), restore the lockfile to include
basic-ftp@5.2.2 by running npm install/npm ci against the corrected
package.json, and commit the regenerated package-lock.json so the lockfile and
the stated intent (5.2.2) match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4ba2a106-2c8d-41fd-b501-114bb4f1e5ca

📥 Commits

Reviewing files that changed from the base of the PR and between 5f0c479 and 88f13a3.

📒 Files selected for processing (1)

• package-lock.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Manifest/lock versions for basic-ftp =="
fd -i 'package.json|package-lock.json' | while read -r f; do
  echo "--- $f"
  rg -n '"basic-ftp"|node_modules/basic-ftp|"version": "5\.' "$f" -n -C2 || true
done

echo
echo "== npm registry metadata for 5.2.2 and 5.3.0 =="
curl -s https://registry.npmjs.org/basic-ftp \
| jq -r '
  .versions["5.2.2"] as $v522
  | .versions["5.3.0"] as $v530
  | "5.2.2 dist.tarball=\($v522.dist.tarball)\n5.2.2 dist.integrity=\($v522.dist.integrity)\n5.3.0 dist.tarball=\($v530.dist.tarball)\n5.3.0 dist.integrity=\($v530.dist.integrity)"
'

echo
echo "== Check package scripts in published tarballs (read-only inspect) =="
tmpdir="$(mktemp -d)"
for v in 5.2.2 5.3.0; do
  url=$(curl -s https://registry.npmjs.org/basic-ftp/$v | jq -r '.dist.tarball')
  curl -sL "$url" -o "$tmpdir/basic-ftp-$v.tgz"
  echo "--- basic-ftp@$v scripts"
  tar -xOf "$tmpdir/basic-ftp-$v.tgz" package/package.json | jq '.scripts // {}'
done

Repository: parse-community/parse-dashboard

Length of output: 50387

---

🏁 Script executed:

cat -n package.json | grep -A2 -B2 "basic-ftp"

Repository: parse-community/parse-dashboard

Length of output: 57

---

🏁 Script executed:

#!/bin/bash
echo "=== Checking basic-ftp versions 5.2.2 vs 5.3.0 in npm registry ==="
curl -s https://registry.npmjs.org/basic-ftp/5.2.2 | jq -r '.version, .dist.tarball, (.dist.integrity // "N/A")'
echo ""
echo "---"
echo ""
curl -s https://registry.npmjs.org/basic-ftp/5.3.0 | jq -r '.version, .dist.tarball, (.dist.integrity // "N/A")'

Repository: parse-community/parse-dashboard

Length of output: 469

---

🏁 Script executed:

#!/bin/bash
# Search for basic-ftp in package.json more carefully
echo "=== Searching for basic-ftp in package.json ==="
grep "basic-ftp" package.json

echo ""
echo "=== Checking if there are any .git or PR metadata files ==="
ls -la | grep -E "\.git|pr|PR|changelog|CHANGELOG"

echo ""
echo "=== Searching for basic-ftp anywhere in the repo (excluding node_modules and lock) ==="
rg "basic-ftp" --type-list | head -20
rg "basic-ftp" -g "!node_modules" -g "!package-lock.json" | head -30

Repository: parse-community/parse-dashboard

Length of output: 2980

---

🏁 Script executed:

#!/bin/bash
# Search for which dependency requires basic-ftp
echo "=== Direct dependencies in package.json ==="
cat package.json | jq -r '.dependencies | keys[]'

echo ""
echo "=== Dev dependencies in package.json ==="
cat package.json | jq -r '.devDependencies | keys[]'

echo ""
echo "=== Searching for which package depends on basic-ftp ==="
rg '"basic-ftp"' -A1 -B5 | head -50

Repository: parse-community/parse-dashboard

Length of output: 1937

---

🏁 Script executed:

#!/bin/bash
# Check which package in node_modules requires basic-ftp
echo "=== Which top-level package depends on basic-ftp? ==="
rg '"basic-ftp"' -B10 package-lock.json | grep -E 'node_modules/[^/]+.*:|"basic-ftp"' | head -20

echo ""
echo "=== Check git log for commits mentioning basic-ftp or version 5.2.2 ==="
git log --oneline --all -20 | head -20

echo ""
echo "=== Check for any commit messages mentioning basic-ftp ==="
git log --all --grep="basic-ftp" --grep="5.2.2" --oneline || echo "No commits found with those keywords"

echo ""
echo "=== Check the most recent changes to package-lock.json ==="
git log --oneline -5 -- package-lock.json

echo ""
echo "=== Show what changed in package-lock.json recently (basic-ftp section) ==="
git show HEAD:package-lock.json | rg -A3 -B3 'node_modules/basic-ftp' | head -20

Repository: parse-community/parse-dashboard

Length of output: 2461

---

🏁 Script executed:

#!/bin/bash
# Show the specific commit that was supposed to bump to 5.2.2
echo "=== Show the diff for the 5.2.2 bump commit ==="
git show 88f13a3 -- package-lock.json | grep -A5 -B5 '"basic-ftp"' | head -40

echo ""
echo "=== Check if there's a more recent commit after 88f13a3 that changed basic-ftp ==="
git log --oneline --all -- package-lock.json | head -10

echo ""
echo "=== Show commits between 88f13a3 and HEAD that touched package-lock.json ==="
git log 88f13a3..HEAD --oneline -- package-lock.json

Repository: parse-community/parse-dashboard

Length of output: 1224

---

🏁 Script executed:

#!/bin/bash
# Check what the actual version of basic-ftp was in commit 88f13a3
echo "=== Actual basic-ftp version in commit 88f13a3 ==="
git show 88f13a3:package-lock.json | rg -A3 '"node_modules/basic-ftp"'

echo ""
echo "=== Current basic-ftp version (HEAD) ==="
git show HEAD:package-lock.json | rg -A3 '"node_modules/basic-ftp"'

echo ""
echo "=== Check if npm install would auto-update to 5.3.0 based on get-uri's range ==="
echo "get-uri dependency: basic-ftp ^5.0.2 allows any version >= 5.0.2 and < 6.0.0"
echo ""
echo "=== Latest published versions of basic-ftp on npm ==="
curl -s https://registry.npmjs.org/basic-ftp | jq -r '.versions | keys[-5:]'

Repository: parse-community/parse-dashboard

Length of output: 951

---

🏁 Script executed:

#!/bin/bash
# Verify: show the exact diff for commit 88f13a3
echo "=== Full diff for commit 88f13a3 focusing on basic-ftp lines ==="
git diff 88f13a3^..88f13a3 -- package-lock.json | grep -A10 -B10 "basic-ftp" | head -60

echo ""
echo "=== Check what version 88f13a3 claims to bump FROM ==="
git show 88f13a3^:package-lock.json | rg -A2 '"node_modules/basic-ftp"' 2>/dev/null || echo "No basic-ftp found in parent"

Repository: parse-community/parse-dashboard

Length of output: 320

---

🏁 Script executed:

#!/bin/bash
# Check the commit message directly
echo "=== Commit message for 88f13a3 ==="
git log -1 --format="%B" 88f13a3

echo ""
echo "=== Check if there's a PR description or related issue ==="
git log --all --grep="5.2.2" --format="%H %s" | head -10

echo ""
echo "=== Verify: did npm lock file get regenerated after the commit? ==="
echo "Checking if package-lock.json timestamp differs from commit 88f13a3..."
git log --format="%H %ai" 88f13a3 | head -1

echo ""
echo "=== See all commits that touched basic-ftp in the log ==="
git log --all --oneline | grep -i "basic-ftp"

Repository: parse-community/parse-dashboard

Length of output: 1864

---

Lockfile version (5.3.0) does not match committed intent (5.2.2).

Commit 88f13a3 is titled "refactor: bump basic-ftp from 5.2.0 to 5.2.2" and includes Dependabot metadata explicitly targeting version 5.2.2, but the package-lock.json at that commit and currently at HEAD contains version 5.3.0. The mismatch likely occurred because basic-ftp is an indirect dependency (via get-uri with constraint ^5.0.2), which permits version 5.3.0. Either the lockfile was regenerated after the commit with npm install without pinning to the intended version, or the upgrade scope was widened intentionally. Clarify whether 5.3.0 is acceptable or if the lock should be regenerated to match the stated 5.2.2 target.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` around lines 12581 - 12583, The lockfile shows
basic-ftp@5.3.0 but the commit 88f13a3 and Dependabot metadata target 5.2.2;
decide whether to accept 5.3.0 or restore 5.2.2, then update package-lock.json
accordingly: if accepting 5.3.0, update the Dependabot/commit message and
regenerate package-lock.json (run npm install, commit the new lockfile) and
update any Dependabot config referencing basic-ftp/get-uri; if pinning 5.2.2,
add an explicit resolution/override for basic-ftp (or update get-uri
constraint), restore the lockfile to include basic-ftp@5.2.2 by running npm
install/npm ci against the corrected package.json, and commit the regenerated
package-lock.json so the lockfile and the stated intent (5.2.2) match.

[mtrezza]

Closing: Dependabot's lock file update incorrectly removes node_modules/filing-cabinet/node_modules/typescript@5.9.3, causing npm ci to fail with "Missing: typescript@5.9.3 from lock file" on Node 20 and Node 22. Additionally, the actual version bump is to 5.3.0, not 5.2.2 as stated in the title. Recreating did not fix the issue. This dependency bump can be picked up in a future Dependabot run or handled manually.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.