fix(deps): update device_page and test JS lockfiles to resolve Dependabot alerts#10877
fix(deps): update device_page and test JS lockfiles to resolve Dependabot alerts#10877BenJule wants to merge 4 commits into
Conversation
- pnpm update --latest: vite 6→8, rollup 4.60→4.64, typescript 5→6, eslint 9→10; resolves tar, flatted, minimatch, picomatch, postcss, js-yaml, rollup, vite CVEs (20 alerts) - tsconfig.app.json: add ignoreDeprecations:6.0 for baseUrl (TS 6.0)
device_page: brace-expansion patched via npm audit fix tests/web-e2e: @typescript-eslint 8.59.4 pulls in patched brace-expansion, minimatch, picomatch
There was a problem hiding this comment.
Pull request overview
This PR updates JavaScript dependencies/lockfiles for the device_page embedded web UI and the tests/web-e2e Playwright suite, primarily to address Dependabot security alerts.
Changes:
- Bumps
tests/web-e2elint/tooling dependencies (notably@typescript-eslint/*) and refreshes thepnpm-lock.yaml. - Upgrades
device_pageruntime/tooling dependencies (React/TanStack/Tailwind/Vite/ESLint/TypeScript) and adds a TypeScript compiler option tweak. - Updates a nested
brace-expansionentry indevice_page/package-lock.json.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/web-e2e/pnpm-lock.yaml | Updates lockfile entries for lint/tooling packages (e.g., @typescript-eslint/*, semver, brace-expansion). |
| tests/web-e2e/package.json | Bumps @typescript-eslint/* devDependencies and reformats pnpm.onlyBuiltDependencies. |
| src/slic3r/GUI/DeviceWeb/device_page/tsconfig.app.json | Adds ignoreDeprecations to compiler options. |
| src/slic3r/GUI/DeviceWeb/device_page/package.json | Major dependency/tooling upgrades (notably Vite 8 / ESLint 10 / TypeScript 6). |
| src/slic3r/GUI/DeviceWeb/device_page/package-lock.json | Updates brace-expansion from 5.0.5 to 5.0.6 in a nested dependency. |
Files not reviewed (2)
- src/slic3r/GUI/DeviceWeb/device_page/package-lock.json: Language not supported
- tests/web-e2e/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@radix-ui/react-dialog": "^1.1.14", | ||
| "@radix-ui/react-dialog": "^1.1.15", | ||
| "@radix-ui/react-icons": "^1.3.2", | ||
| "@radix-ui/react-popover": "^1.1.14", | ||
| "@radix-ui/react-toggle-group": "^1.1.10", | ||
| "@tailwindcss/vite": "^4.1.8", | ||
| "@tanstack/react-router": "^1.120.15", | ||
| "i18next": "^25.3.2", | ||
| "immer": "^10.1.1", | ||
| "radix-ui": "^1.4.2", | ||
| "react": "^19.1.0", | ||
| "react-dom": "^19.1.0", | ||
| "react-i18next": "^15.6.1", | ||
| "tailwindcss": "^4.1.8", | ||
| "zustand": "^5.0.6" | ||
| "@radix-ui/react-popover": "^1.1.15", | ||
| "@radix-ui/react-toggle-group": "^1.1.11", | ||
| "@tailwindcss/vite": "^4.3.0", |
| "typescript": "~6.0.3", | ||
| "typescript-eslint": "^8.59.4", | ||
| "vite": "^8.0.14" |
| "noFallthroughCasesInSwitch": true, | ||
| "noUncheckedSideEffectImports": true, | ||
|
|
||
| "ignoreDeprecations": "6.0", |
|
Thanks for the contribution! Just a quick reminder that upgrading libraries can introduce compatibility risks or unexpected side effects, so we need to evaluate the impact carefully before merging. |
Address Copilot/reviewer feedback on bambulab#10877: - Add engines.node: "^20.19.0 || >=22.12.0" to device_page/package.json (Vite 8 requires Node 20.19+ or 22.12+; declaring it prevents silent failures on older Node runtimes in CI or developer environments) - Narrow ignoreDeprecations from "6.0" to "5.0" in tsconfig.app.json so TS 6.x deprecations still surface; add comment explaining scope
|
Thanks for the thorough review, @XinZhangBambu and @Copilot! All three points are addressed in the latest commit: [Medium] PR description updated [High] [Low] |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Files not reviewed (2)
- src/slic3r/GUI/DeviceWeb/device_page/package-lock.json: Language not supported
- tests/web-e2e/pnpm-lock.yaml: Language not supported
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Apologies — this PR was closed by mistake on 2026-06-07, and that was an error on my side, not a deliberate decision to withdraw the change. It happened as an unintended side effect of a branch cleanup in my fork: deleting the head branch automatically closed this PR. The contribution still stands. I have restored the branch and reopened the PR. Sorry for the noise and any confusion this caused. |
Summary
Updates JavaScript dependencies for `device_page` and `tests/web-e2e` to resolve outstanding Dependabot security alerts — this includes both lockfile regeneration and direct version bumps in `package.json`.
device_page (`src/slic3r/GUI/DeviceWeb/device_page/`)
tests/web-e2e (`tests/web-e2e/`)
No changes to C++ source code, build system, or application behaviour.
Compatibility note
Vite 8 requires Node `^20.19.0 || >=22.12.0`. The `engines.node` field now declares this explicitly. CI runners using Node 18 or older 20.x will need to be updated if they build the `device_page` web asset.