Skip to content

chore: bump vercel from 50.44.0 to 52.2.0#369

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/vercel-52.2.0
Open

chore: bump vercel from 50.44.0 to 52.2.0#369
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/vercel-52.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 8, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps vercel from 50.44.0 to 52.2.0.

Release notes

Sourced from vercel's releases.

vercel@52.2.0

Minor Changes

  • 24686d0: Add configurable auth token storage with keyring-backed persistence and file fallback support.

Patch Changes

  • Updated dependencies [24686d0]
  • Updated dependencies [d36ee35]
  • Updated dependencies [56c9f89]
    • @​vercel/cli-auth@​0.1.0
    • @​vercel/node@​5.7.13

vercel@52.0.0

Major Changes

  • fix!: exclude configuration files from static deployments (#16056)

Minor Changes

  • Add vercel connex token command to fetch tokens for Connex clients, with auto-authorize / auto-install recovery on actionable 422 errors. (#16072)

Patch Changes

  • Add vercel env run example to the env command help output (#16072)

  • vercel env update now applies the same Development guards as vercel env add: (#16072)

    • Errors with a docs-linked message when the selected record targets Development and the team has the Sensitive Environment Variables Policy enabled. No PATCH is attempted.
    • Errors when --sensitive is used on a record that targets Development (regardless of policy). Sensitive is not allowed on Development.

    Other env update behavior is unchanged.

  • Normalize single-line stdin env values by removing a trailing newline before (#16072) saving them.

  • Updated dependencies [2aa78415831fe89d1b21dd89704706bd1ad5e78d, 2aa78415831fe89d1b21dd89704706bd1ad5e78d, 2aa78415831fe89d1b21dd89704706bd1ad5e78d]:

    • @​vercel/build-utils@​13.20.0
    • @​vercel/python@​6.36.0
    • @​vercel/backends@​0.2.0
    • @​vercel/elysia@​0.1.71
    • @​vercel/express@​0.1.81
    • @​vercel/fastify@​0.1.74
    • @​vercel/go@​3.5.0
    • @​vercel/h3@​0.1.80
    • @​vercel/hono@​0.2.74
    • @​vercel/hydrogen@​1.3.6
    • @​vercel/koa@​0.1.54
    • @​vercel/nestjs@​0.2.75
    • @​vercel/next@​4.16.8

... (truncated)

Changelog

Sourced from vercel's changelog.

52.2.0

Minor Changes

  • 24686d0: Add configurable auth token storage with keyring-backed persistence and file fallback support.

Patch Changes

  • Updated dependencies [24686d0]
  • Updated dependencies [d36ee35]
  • Updated dependencies [56c9f89]
    • @​vercel/cli-auth@​0.1.0
    • @​vercel/node@​5.7.13

52.1.0

Minor Changes

  • ae90f00: vercel edge-config tokens --remove <ID_OR_TOKEN> now accepts either a token id (as shown in the id column of vercel edge-config tokens <id-or-slug>) or a plaintext token string. The CLI transparently consults the store's own token list to classify each value and sends { ids }, { tokens }, or both to DELETE /v1/edge-config/:id/tokens accordingly.

    • Backward compatible: existing scripts passing plaintext tokens keep working.
    • Forward compatible: once plaintext is no longer listed server-side, users can revoke by id with no CLI changes.
    • No new flag: everything stays on --remove, which is repeatable.
    vercel edge-config tokens my-store --remove <token-id> --yes
vercel edge-config tokens my-store --remove <plaintext-token> --yes
vercel edge-config tokens my-store --remove <id-1> --remove <plaintext-2> --yes

Patch Changes

  • 8d6cfde: Improve CLI unit test portability and argument fixture handling by replacing a POSIX-only mkdir -p call with Node's cross-platform mkdirSync(..., { recursive: true }), and by passing a token fixture as --token=<value> so values beginning with - are parsed correctly in non-interactive token tests.
  • 0252860: Prevent non-interactive next.command suggestions from echoing auth tokens across CLI flows, not just tokens add. The CLI now strips --token / -t flags (including inline =value forms) before building suggested rerun commands, so automation output cannot leak credentials copied from invocation args; VERCEL_TOKEN from environment variables was not affected.
  • Fail fast on SAML / missing-scope re-authentication when the device-code flow cannot succeed, so commands no longer hang waiting for a browser approval that will never come. reauthenticate now bails with an actionable error message when the token was supplied via --token, when it was supplied via the VERCEL_TOKEN environment variable, or when stdin is non-interactive (e.g. CI). In all three cases the user is told which token source needs a token authorized for the requested scope, instead of silently kicking off performDeviceCodeFlow.
    • @​vercel/static-build@​2.9.21

52.0.0

Major Changes

  • fix!: exclude configuration files from static deployments (#16056)

Minor Changes

  • Add vercel connex token command to fetch tokens for Connex clients, with auto-authorize / auto-install recovery on actionable 422 errors. (#16072)

Patch Changes

  • Add vercel env run example to the env command help output (#16072)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vercel since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade vercel CLI from 50.44.0 to 52.2.0 to pick up safer auth handling and a breaking change that excludes configuration files from static deployments.

  • Migration
    • If static deployments relied on config files being uploaded, move required files into your publish output (e.g., public/) or adjust the build.
    • CI/auth: ensure VERCEL_TOKEN has the needed scopes; non-interactive re-auth now fails fast if scopes are missing.
    • Scripts using vercel env update --sensitive for Development must be updated; sensitive vars are not allowed on Development.

Written for commit ba21fbc. Summary will update on new commits.

@dependabot
chore: bump vercel from 50.44.0 to 52.2.0
ba21fbc 
Bumps [vercel](https://github.com/vercel/vercel/tree/HEAD/packages/cli) from 50.44.0 to 52.2.0.
- [Release notes](https://github.com/vercel/vercel/releases)
- [Changelog](https://github.com/vercel/vercel/blob/main/packages/cli/CHANGELOG.md)
- [Commits](https://github.com/vercel/vercel/commits/vercel@52.2.0/packages/cli)

---
updated-dependencies:
- dependency-name: vercel
  dependency-version: 52.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 8, 2026
@sonarqubecloud

sonarqubecloud Bot commented May 8, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Deploy preview for team-scope-test ready!

Project:team-scope-test
Status: ✅  Deploy successful!
Preview URL:https://team-scope-test-kubbs3236-dietfriends.vercel.app
Latest Commit:ba21fbc

Deployed with vercel-action

@github-actions

github-actions Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Deploy preview for zeit-now-deployment-action-example-angular ready!

Project:zeit-now-deployment-action-example-angular
Status: ✅  Deploy successful!
Preview URL:https://zeit-now-deployment-action-example-angular-hs090he9y.vercel.app
Latest Commit:ba21fbc
Alias:https://staging.angular.vercel-action.amond.dev
Alias:https://pr-369.angular.vercel-action.amond.dev

Deployed with vercel-action

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 8, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Architecture diagram 
sequenceDiagram
    participant CLI as Vercel CLI
    participant Auth as @vercel/cli-auth
    participant Keychain as OS Keychain
    participant FileStore as File System (Token File)
    participant API as Vercel API
    participant Static as Static Deployment
    participant Env as Env Command

    Note over CLI,Env: Major changes from 50.44.0 → 52.2.0

    CLI->>Auth: authenticate(tokenSource)
    alt Keyring available (NEW)
        Auth->>Keychain: store/read auth token
        Keychain-->>Auth: token value
    else Keyring unavailable
        Auth->>FileStore: read/write token file (fallback)
        FileStore-->>Auth: token value
    end
    Auth-->>CLI: authenticated session

    CLI->>API: deploy (static files)
    alt Configuration files detected (CHANGED - breaking)
        API->>Static: exclude config files from upload
        Note over API,Static: vercel.json, now.json no longer deployed
    else Normal files
        API->>Static: deploy as before
    end

    CLI->>API: vercel env update (CHANGED)
    opt Sensitive env var targeting Development
        API->>Env: block update (policy check)
        Env-->>CLI: error with docs link
    end

    CLI->>API: non-interactive re-auth (CHANGED)
    alt CLI in CI or --token mode
        CLI->>CLI: detect non-interactive stdin
        CLI->>API: check scope authorization
        alt Missing scope
            CLI->>CLI: fail fast with actionable message
            Note over CLI: No browser code flow attempted
        else Valid scope
            API-->>CLI: re-authenticate
        end
    end

    CLI->>API: vercel edge-config tokens --remove (CHANGED)
    alt Input is token ID
        CLI->>API: DELETE /v1/edge-config/:id/tokens (ids)
    else Input is plaintext token
        CLI->>API: DELETE /v1/edge-config/:id/tokens (tokens)
    end

    CLI->>CLI: next.command suggestion (CHANGED)
    CLI->>CLI: strip --token/-t flags from suggested command
    Note over CLI: Prevents token leak in non-interactive reruns
Loading

Requires human review: Production dependency major version bump (50 52) with breaking changes (config file exclusion, auth token storage). High risk of impact on CI/deployment logic. Requires human review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants