chore(deps): update all dependencies#3333
Conversation
🦋 Changeset detectedLatest commit: 82a81db The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3333 +/- ##
==========================================
- Coverage 94.29% 94.28% -0.01%
==========================================
Files 388 388
Lines 53080 53047 -33
Branches 4231 4232 +1
==========================================
- Hits 50051 50018 -33
Misses 3001 3001
Partials 28 28 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
WalkthroughChangesThis PR updates dependency metadata and audit-related config, refreshes compiler/runtime type and loop formatting, and regenerates compiled 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 28-33: The toolchain overrides in package.json are forcing js-yaml
and diff beyond the majors that mocha still expects, so adjust the dependency
overrides to stay within mocha’s consumer-supported versions. Update the
package.json entries for js-yaml and the mocha-related diff override so they
align with the versions already declared in the lockfile and keep the
test/release toolchain compatible.
In `@packages/runtime-class/package.json`:
- Line 83: The runtime-class package is pulling in a minimatch version that
exceeds its declared Node 18 support, so keep the dependency on v9 until the
package engines are narrowed. Update the minimatch entry in package.json within
packages/runtime-class back to a Node 18-compatible release, and ensure the
package’s "node" engine declaration remains aligned with that dependency choice.
Use the minimatch dependency line and the package engine field to locate the
change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
5024901 to
8fbdb7d
Compare
8fbdb7d to
88dd3f5
Compare
Refresh package-lock and update every dependency to its latest compatible version. No npm overrides: production dependencies carry no known vulnerabilities (`npm run audit`, i.e. `npm audit --omit=dev`, is clean). The advisories bare `npm audit` still reports are confined to dev-only tooling (mocha, changesets) whose transitive fixes live in majors newer than those tools allow; they never ship — see agent-feedback/dx.md. - Babel toolchain -> 7.29.7 (regenerated the patch-package patches). - mocha 11.7.6 (patch regenerated), rolldown 1.1.4, prettier 3.9.4, js-beautify 2, minimatch 10, htmljs-parser 5.12.1, @luxass/strip-json-comments 2, @types/node 26, and the eslint/cspell/ typescript-eslint toolchain to latest. - Regenerated bundle snapshots for rolldown 1.1.4's more aggressive minifier and reformatted sources for prettier 3.9.4. - Added an `audit` script (`npm audit --omit=dev`) and the missing cspell terms. Held back as dedicated migrations (see agent-feedback/dx.md): Babel 8 (breaks the compiler's babel-7 lib patches) and chai 6 (ESM-only vs 379 CommonJS require sites). Full test suite, build, and lint all pass.
88dd3f5 to
82a81db
Compare
Description
Refreshes
package-lock.json(regenerated from scratch) and updates every dependency to its latest compatible version.No npm
overrides. Production dependencies carry no known vulnerabilities —npm run audit(npm audit --omit=dev) is clean, which is what consumers of@marko/compiler/marko/@marko/runtime-tags/@marko/runtime-classactually receive. The advisories barenpm auditstill reports (3, all undermocha/@changesets/clidev tooling) have their transitive fixes only in majors newer than those tools permit (serialize-javascript ^6→7.x,diff ^7→8.x,js-yaml ^4→5.x); mocha 11.7.6 is the newest stable and the latest changesets still pinsjs-yaml ^4.1.1, so they can't be resolved by a version bump and they never ship. Documented inagent-feedback/dx.md; revisit when those tools update upstream.Updates
patch-packagepatches for the new versions.mocha11.7.6 (patch regenerated),rolldown1.1.4,prettier3.9.4,js-beautify2,minimatch10,htmljs-parser5.12.1,@luxass/strip-json-comments2,@types/node26, and the eslint/cspell/typescript-eslint toolchain.js-cookie/tmp/undici/qsfloated to their patched versions within their parents' existing ranges (no overrides).cspell.json.auditscript (npm audit --omit=dev) as the production-scoped audit gate.Held back as dedicated migrations (noted in
agent-feedback/dx.md): Babel 8 (breaks the compiler's babel-7libpatches) and chai 6 (ESM-only vs 379 CommonJSrequiresites).Full test suite (8335 passing), build, and lint all pass.
Checklist: