Skip to content

chore(deps): update all dependencies#3333

Merged
DylanPiercey merged 1 commit into
mainfrom
claude/dependency-updates-audit-0tv980
Jul 7, 2026
Merged

chore(deps): update all dependencies#3333
DylanPiercey merged 1 commit into
mainfrom
claude/dependency-updates-audit-0tv980

Conversation

@DylanPiercey

@DylanPiercey DylanPiercey commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Refreshes package-lock.json (regenerated from scratch) and updates every dependency to its latest compatible version.

No npm overrides. Production dependencies carry no known vulnerabilitiesnpm run audit (npm audit --omit=dev) is clean, which is what consumers of @marko/compiler / marko / @marko/runtime-tags / @marko/runtime-class actually receive. The advisories bare npm audit still reports (3, all under mocha / @changesets/cli dev tooling) have their transitive fixes only in majors newer than those tools permit (serialize-javascript ^6→7.x, diff ^7→8.x, js-yaml ^4→5.x); mocha 11.7.6 is the newest stable and the latest changesets still pins js-yaml ^4.1.1, so they can't be resolved by a version bump and they never ship. Documented in agent-feedback/dx.md; revisit when those tools update upstream.

Updates

  • Babel toolchain → 7.29.7, regenerating the four patch-package patches for the new versions.
  • Latest: mocha 11.7.6 (patch regenerated), rolldown 1.1.4, prettier 3.9.4, js-beautify 2, minimatch 10, htmljs-parser 5.12.1, @luxass/strip-json-comments 2, @types/node 26, and the eslint/cspell/typescript-eslint toolchain.
  • js-cookie / tmp / undici / qs floated to their patched versions within their parents' existing ranges (no overrides).
  • Regenerated bundle snapshots for rolldown 1.1.4's more aggressive minifier (constant folding / dead-branch elimination), reformatted sources for prettier 3.9.4, and added the missing terms to cspell.json.
  • Added an audit script (npm audit --omit=dev) as the production-scoped audit gate.

Held back as dedicated migrations (noted in agent-feedback/dx.md): Babel 8 (breaks the compiler's babel-7 lib patches) and chai 6 (ESM-only vs 379 CommonJS require sites).

Full test suite (8335 passing), build, and lint all pass.

Checklist:

  • I have read the CONTRIBUTING document and have signed (or will sign) the CLA.
  • I have updated/added documentation affected by my changes.
  • I have added tests to cover my changes.

@changeset-bot

changeset-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 82a81db

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@marko/compiler Patch
marko Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 90.90909% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 94.28%. Comparing base (2f400f4) to head (82a81db).

Files with missing lines Patch % Lines
packages/runtime-class/src/translator/tag/util.js 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3333      +/-   ##
==========================================
- Coverage   94.29%   94.28%   -0.01%     
==========================================
  Files         388      388              
  Lines       53080    53047      -33     
  Branches     4231     4232       +1     
==========================================
- Hits        50051    50018      -33     
  Misses       3001     3001              
  Partials       28       28              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Changes

This PR updates dependency metadata and audit-related config, refreshes compiler/runtime type and loop formatting, and regenerates compiled .sizes artifacts and many benchmark sizes.json fixtures. It also simplifies createScope in the runtime bundle and updates a Mocha patch to log caught require errors.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title matches the main change: a broad dependency update.
Description check ✅ Passed The description clearly describes the dependency refresh and related audit/doc/test changes.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/dependency-updates-audit-0tv980

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 28-33: The toolchain overrides in package.json are forcing js-yaml
and diff beyond the majors that mocha still expects, so adjust the dependency
overrides to stay within mocha’s consumer-supported versions. Update the
package.json entries for js-yaml and the mocha-related diff override so they
align with the versions already declared in the lockfile and keep the
test/release toolchain compatible.

In `@packages/runtime-class/package.json`:
- Line 83: The runtime-class package is pulling in a minimatch version that
exceeds its declared Node 18 support, so keep the dependency on v9 until the
package engines are narrowed. Update the minimatch entry in package.json within
packages/runtime-class back to a Node 18-compatible release, and ensure the
package’s "node" engine declaration remains aligned with that dependency choice.
Use the minimatch dependency line and the package engine field to locate the
change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread package.json Outdated
Comment thread packages/runtime-class/package.json
@DylanPiercey DylanPiercey force-pushed the claude/dependency-updates-audit-0tv980 branch from 5024901 to 8fbdb7d Compare July 7, 2026 02:49
@DylanPiercey DylanPiercey changed the title chore(deps): update all dependencies and resolve npm audit chore(deps): update all dependencies Jul 7, 2026
@DylanPiercey DylanPiercey force-pushed the claude/dependency-updates-audit-0tv980 branch from 8fbdb7d to 88dd3f5 Compare July 7, 2026 03:11
Refresh package-lock and update every dependency to its latest
compatible version. No npm overrides: production dependencies carry no
known vulnerabilities (`npm run audit`, i.e. `npm audit --omit=dev`, is
clean). The advisories bare `npm audit` still reports are confined to
dev-only tooling (mocha, changesets) whose transitive fixes live in
majors newer than those tools allow; they never ship — see
agent-feedback/dx.md.

- Babel toolchain -> 7.29.7 (regenerated the patch-package patches).
- mocha 11.7.6 (patch regenerated), rolldown 1.1.4, prettier 3.9.4,
  js-beautify 2, minimatch 10, htmljs-parser 5.12.1,
  @luxass/strip-json-comments 2, @types/node 26, and the eslint/cspell/
  typescript-eslint toolchain to latest.
- Regenerated bundle snapshots for rolldown 1.1.4's more aggressive
  minifier and reformatted sources for prettier 3.9.4.
- Added an `audit` script (`npm audit --omit=dev`) and the missing
  cspell terms.

Held back as dedicated migrations (see agent-feedback/dx.md): Babel 8
(breaks the compiler's babel-7 lib patches) and chai 6 (ESM-only vs 379
CommonJS require sites).

Full test suite, build, and lint all pass.
@DylanPiercey DylanPiercey force-pushed the claude/dependency-updates-audit-0tv980 branch from 88dd3f5 to 82a81db Compare July 7, 2026 04:29
@DylanPiercey DylanPiercey merged commit 4fedb7e into main Jul 7, 2026
10 of 11 checks passed
@DylanPiercey DylanPiercey deleted the claude/dependency-updates-audit-0tv980 branch July 7, 2026 14:05
@github-actions github-actions Bot mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant