Skip to content

build(deps): bump actions/setup-node from 4 to 6#388

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-6
Closed

build(deps): bump actions/setup-node from 4 to 6#388
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk workflow-only change that updates the Node setup GitHub Action; potential impact is limited to CI/publish runs if setup-node@v6 behavior differs (e.g., caching defaults).

Overview
Updates GitHub Actions workflows to use actions/setup-node@v6 instead of @v4 across CI, docs publishing, and release/publish pipelines.

No application/runtime code changes; the main effect is altered CI environment setup during builds, tests, and publish steps.

Reviewed by Cursor Bugbot for commit 7f2486b. Bugbot is set up for automated code reviews on this repo. Configure here.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 30, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 30, 2026 08:33
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 30, 2026
kinyoklion added a commit that referenced this pull request Jul 6, 2026
…icy (#411)

**Requirements**

- [x] I have added test coverage for new or changed functionality
(existing suite validates the build/runtime; this change is dev-tooling
+ config only)
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions

**Related issues**

Replaces the currently open Dependabot PRs (#374, #377, #388, #392,
#393, #394), all of which are major-version bumps.

**Describe the solution you've provided**

This consolidates dependency maintenance into a single, tested PR and
codifies a safer Dependabot policy.

1. **Dependency update (`package.json`)** — bumps the `esbuild`
devDependency `^0.24.0` → `^0.28.1` to resolve the moderate advisory
GHSA-67mh-4wv8-2f99 (esbuild `<=0.24.2` dev server request). `npm audit`
now reports **0 vulnerabilities**. esbuild `0.28.1` was released
2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the
only actionable update under the new same-major policy: `npm outdated`
shows every other outstanding update is a major bump with no security
justification, and everything else is already at the latest version
within its current major.

2. **Dependabot policy (`.github/dependabot.yml`)** — for both the `npm`
and `github-actions` ecosystems:
- `cooldown: { default-days: 7 }` enforces the dependency quarantine
(only adopt releases ≥7 days old) going forward.
- `ignore` on `dependency-name: "*"` with `update-types:
["version-update:semver-major"]` restricts version-update PRs to the
current major. Per GitHub's docs, `update-types` does not affect
security updates, so Dependabot will still open a major-version PR when
required to resolve a vulnerability.

Validated locally: `npm run build`, `npm run lint`, `tsc`, and the full
`jest` suite (93 tests) all pass, and `npm audit` is clean.

**Describe alternatives you've considered**

- Adopting the open React 19 devDependency bumps (react, react-dom,
react-test-renderer and their `@types`) and `actions/setup-node` v6.
These are all major bumps with no security driver, so they are
intentionally excluded under the new same-major policy. They can be
pursued separately as deliberate, tested major upgrades if desired.
- A global `semver-major` ignore alone (without noting the security
exemption): documented behavior confirms security updates are unaffected
by `update-types`, so the security-major path remains open.

**Additional context**

The 7-day quarantine and same-major restriction reduce exposure to
supply-chain risk from freshly published or major releases while keeping
security fixes flowing.


Link to Devin session:
https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601
Requested by: @kinyoklion

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> DevDependency and Dependabot config only; no changes to the published
SDK runtime or consumer-facing APIs.
> 
> **Overview**
> Bumps the **esbuild** devDependency from `^0.24.0` to `^0.28.1` to
address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request
handling in older esbuild). This is a build-time-only change.
> 
> Updates **`.github/dependabot.yml`** for both **npm** and
**github-actions**: documents the existing 7-day **cooldown** quarantine
and adds a global **`ignore`** for **`version-update:semver-major`**, so
routine Dependabot PRs stay on the current major. Security-driven
updates can still propose major bumps per GitHub’s rules.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
503cc1f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like actions/setup-node is no longer being updated by Dependabot, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/actions/setup-node-6 branch July 6, 2026 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants