Skip to content

build(deps-dev): bump the development-minor-and-patch group across 1 directory with 4 updates#114

Merged
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/development-minor-and-patch-e996bbb3df
May 28, 2026
Merged

build(deps-dev): bump the development-minor-and-patch group across 1 directory with 4 updates#114
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/development-minor-and-patch-e996bbb3df

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the development-minor-and-patch group with 4 updates in the / directory: @types/node, oxfmt, oxlint and vitest.

Updates @types/node from 25.8.0 to 25.9.1

Commits

Updates oxfmt from 0.51.0 to 0.52.0

Changelog

Sourced from oxfmt's changelog.

[0.52.0] - 2026-05-26

🚀 Features

  • 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#22454) (leaysgur)

[0.50.0] - 2026-05-15

🐛 Bug Fixes

  • 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

[0.49.0] - 2026-05-11

🚀 Features

  • 6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)

[0.45.0] - 2026-04-13

🐛 Bug Fixes

  • 50c389b oxfmt: Support .editorconfig quote_type (#20989) (leaysgur)

[0.44.0] - 2026-04-06

🐛 Bug Fixes

  • dd2df87 npm: Export package.json for oxlint and oxfmt (#20784) (kazuya kawaguchi)
  • 4216380 oxfmt: Support .editorconfig tab_width fallback (#20988) (leaysgur)

[0.43.0] - 2026-03-30

🚀 Features

  • 6ef440a oxfmt: Support bool for object style options (#20853) (leaysgur)

[0.42.0] - 2026-03-24

🚀 Features

  • 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#20644) (leaysgur)
  • 4fec907 formatter: Add JSDoc comment formatting support (#19828) (Dunqing)

[0.40.0] - 2026-03-12

🐛 Bug Fixes

  • bc20217 oxlint,oxfmt: Omit useless | null for Option<T> field from schema (#20273) (leaysgur)

... (truncated)

Commits

Updates oxlint from 1.65.0 to 1.67.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.67.0] - 2026-05-26

🚀 Features

  • b84941e linter/vue: Implement no-expose-after-await rule (#22675) (bab)
  • 98b98c1 linter/vue: Implement no-computed-properties-in-data rule (#22674) (bab)
  • 2d4c919 oxlint: Support vite-plus/resolveConfig for vite.config.ts (#22456) (leaysgur)
  • 2a60012 linter/vue: Implement require-render-return rule (#22613) (bab)
  • 9f227fd linter/vue: Implement no-deprecated-props-default-this rule (#21892) (bab)
  • 87f065e linter/vue: Implement return-in-emits-validator rule (#21935) (bab)
  • ea0380c linter/unicorn: Implement import-style rule (#22173) (Hao Chen)
  • dde40fe linter/vue: Implement no-watch-after-await rule (#22006) (bab)
  • a735eb0 linter/vue: Implement valid-next-tick rule (#22531) (bab)
  • 6dc615d linter/vue: Implement no-shared-component-data rule (#21842) (bab)
  • a656418 linter/vue: Implement valid-define-options rule (#22107) (bab)
  • bb6f1b2 linter/vue: Implement require-slots-as-functions rule (#22244) (bab)
  • 5fa4774 linter/n: Implement callback-return rule (#22470) (Mikhail Baev)

[1.66.0] - 2026-05-18

🚀 Features

  • 0440b0f linter/eslint: Implement id-match rule (#22379) (Vladislav Sayapin)
  • 65bf119 linter: Implement react no-object-type-as-default-prop (#22481) (uhyo)
  • 2a6ddce linter/eslint: Implement no-implied-eval rule (#22391) (Vladislav Sayapin)
  • 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#21788) (kapobajza)
  • 37680b0 linter: Implement react no-unstable-nested-components (#22248) (Jovi De Croock)
  • d8d9c74 linter: Implement import/newline-after-import rule (#19142) (Ryuya Yanagi)
Commits
  • 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
  • b84941e feat(linter/vue): implement no-expose-after-await rule (#22675)
  • 98b98c1 feat(linter/vue): implement no-computed-properties-in-data rule (#22674)
  • 2d4c919 feat(oxlint): Support vite-plus/resolveConfig for vite.config.ts (#22456)
  • 2a60012 feat(linter/vue): implement require-render-return rule (#22613)
  • 9f227fd feat(linter/vue): implement no-deprecated-props-default-this rule (#21892)
  • 87f065e feat(linter/vue): implement return-in-emits-validator rule (#21935)
  • ea0380c feat(linter/unicorn): implement import-style rule (#22173)
  • dde40fe feat(linter/vue): implement no-watch-after-await rule (#22006)
  • a735eb0 feat(linter/vue): implement valid-next-tick rule (#22531)
  • Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 25, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 25, 2026 22:18
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 25, 2026
@socket-security

socket-security Bot commented May 25, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedvitest@​4.1.6 ⏵ 4.1.7961007998100
Added@​types/​node@​25.9.11001008195100
Addedoxlint@​1.67.0991009196100
Addedoxfmt@​0.52.0991009296100

View full report

@clawsweeper

clawsweeper Bot commented May 25, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed May 28, 2026, 11:29 AM ET / 15:29 UTC.

Summary
This PR updates development dependency metadata for @types/node, oxfmt, oxlint, and vitest, changing package.json only for oxfmt and refreshing pnpm-lock.yaml resolutions.

Reproducibility: not applicable. this is a dependency maintenance PR, not a bug report. The relevant verification is package metadata review plus CI and dependency-review results.

Review metrics: 2 noteworthy metrics.

  • Changed files: 2 package files. The review surface is limited to package.json and pnpm-lock.yaml, both package-integrity files.
  • Direct dev updates: 4 updates. All direct updates are development tooling rather than runtime dependencies.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Wait for CI and dependency-review checks to complete on the current head before merging.

Risk before merge

  • [P1] The supplied GitHub context reports the PR as mergeable but in an unstable checks state, so it should wait for required CI and dependency-review results before merge.

Maintainer options:

  1. Decide the mitigation before merge
    Land the narrow Dependabot bump after CI, dependency review, and package-owner review pass, or let Dependabot refresh the branch if upstream versions move again.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • No ClawSweeper repair lane is needed because the review found no narrow defect for automation to fix.

Security
Cleared: The diff is limited to direct dev-dependency and lockfile updates, and I found no concrete security or supply-chain regression in the provided PR context.

Review details

Best possible solution:

Land the narrow Dependabot bump after CI, dependency review, and package-owner review pass, or let Dependabot refresh the branch if upstream versions move again.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a bug report. The relevant verification is package metadata review plus CI and dependency-review results.

Is this the best way to solve the issue?

Yes: a Dependabot manifest and lockfile bump is the narrowest maintainable path for these dev-tool updates, and I found no duplicate supported path or line-level defect.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1d1284dba70e.

Label changes

Label changes:

  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • remove rating: 🦞 diamond lobster: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

  • P3: This is a low-risk development dependency maintenance PR with limited blast radius.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Real behavior proof is not applicable for this Dependabot bot dependency-update PR; CI and dependency review are the relevant gates.
Evidence reviewed

What I checked:

  • Repository policy read: Read the full AGENTS.md and applied its pnpm/Node 22, test-command, and generated-output guidance while reviewing this dependency PR. (AGENTS.md:1, 1d1284dba70e)
  • Current main dependency state: Current main still has oxfmt at ^0.51.0 in package.json, so the PR's ^0.52.0 manifest update is not already implemented on main. (package.json:37, 1d1284dba70e)
  • PR diff scope: The supplied PR file list changes only package.json and pnpm-lock.yaml, with package.json updating oxfmt from ^0.51.0 to ^0.52.0 and the lockfile refreshing four dev-tool resolutions. (package.json:37, d8642afa5b85)
  • Dependabot grouping: The repository has a weekly Dependabot group for development minor and patch npm updates, matching this PR's stated dependency-update path. (.github/dependabot.yml:17, 1d1284dba70e)
  • Package history: Recent package history shows the current oxfmt baseline was updated on main by commit 1d1284d, while the original dependency set dates to cdd58ac. (package.json:37, 1d1284dba70e)
  • Supply-chain review context: The Socket bot comment reported high scores for the updated direct dev dependencies and did not surface a concrete vulnerability or supply-chain block in the provided context.

Likely related people:

  • steipete: Peter Steinberger authored the original package metadata in cdd58ac and the current main oxfmt bump in 1d1284d. (role: recent dependency contributor; confidence: high; commits: cdd58ac59213, 1d1284dba70e; files: package.json, pnpm-lock.yaml)
  • vincentkoc: Vincent Koc recently touched package.json and CODEOWNERS in the constrained Crabbox setup commit, which is adjacent to package integrity review. (role: recent adjacent contributor; confidence: medium; commits: 857d854ac8d0; files: package.json, .github/CODEOWNERS)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels May 25, 2026
@clawsweeper

clawsweeper Bot commented May 25, 2026

Copy link
Copy Markdown
Contributor

ClawSweeper PR egg

✨ Hatched: 🥚 common Clockwork Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location workflow harbor; accessory review stamp; palette pearl, teal, and neon green; mood bright-eyed; pose leaning over a miniature review desk; shell frosted glass shell; lighting tiny status-light glow; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Patch Peep in ClawSweeper.

What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@clawsweeper clawsweeper Bot added rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels May 25, 2026
…directory with 4 updates

Bumps the development-minor-and-patch group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt), [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest).


Updates `@types/node` from 25.8.0 to 25.9.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `oxfmt` from 0.51.0 to 0.52.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.52.0/npm/oxfmt)

Updates `oxlint` from 1.65.0 to 1.67.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.67.0/npm/oxlint)

Updates `vitest` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.7/packages/vitest)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-minor-and-patch
- dependency-name: oxfmt
  dependency-version: 0.51.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-minor-and-patch
- dependency-name: oxlint
  dependency-version: 1.66.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps-dev): bump the development-minor-and-patch group with 4 updates build(deps-dev): bump the development-minor-and-patch group across 1 directory with 4 updates May 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/development-minor-and-patch-e996bbb3df branch from 22b80ac to d8642af Compare May 28, 2026 15:25
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. and removed rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. labels May 28, 2026
@steipete steipete merged commit 779efd2 into main May 28, 2026
7 checks passed
@steipete steipete deleted the dependabot/npm_and_yarn/development-minor-and-patch-e996bbb3df branch May 28, 2026 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant