Skip to content

build(deps-dev): bump the development-minor-and-patch group with 2 updates#127

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-minor-and-patch-b763f5d456
Closed

build(deps-dev): bump the development-minor-and-patch group with 2 updates#127
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-minor-and-patch-b763f5d456

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the development-minor-and-patch group with 2 updates: @types/node and oxfmt.

Updates @types/node from 25.9.1 to 25.9.2

Commits

Updates oxfmt from 0.53.0 to 0.54.0

Changelog

Sourced from oxfmt's changelog.

[0.54.0] - 2026-06-08

📚 Documentation

  • dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (#22965) (Boshen)
  • f88961a oxfmt: Annotate each config option with supported languages (#22953) (leaysgur)

[0.52.0] - 2026-05-26

🚀 Features

  • 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#22454) (leaysgur)

[0.50.0] - 2026-05-15

🐛 Bug Fixes

  • 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

[0.49.0] - 2026-05-11

🚀 Features

  • 6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)

[0.45.0] - 2026-04-13

🐛 Bug Fixes

  • 50c389b oxfmt: Support .editorconfig quote_type (#20989) (leaysgur)

[0.44.0] - 2026-04-06

🐛 Bug Fixes

  • dd2df87 npm: Export package.json for oxlint and oxfmt (#20784) (kazuya kawaguchi)
  • 4216380 oxfmt: Support .editorconfig tab_width fallback (#20988) (leaysgur)

[0.43.0] - 2026-03-30

🚀 Features

  • 6ef440a oxfmt: Support bool for object style options (#20853) (leaysgur)

[0.42.0] - 2026-03-24

🚀 Features

  • 416865a formatter,oxfmt: Add doc comments for JsdocConfig (#20644) (leaysgur)
  • 4fec907 formatter: Add JSDoc comment formatting support (#19828) (Dunqing)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…dates

Bumps the development-minor-and-patch group with 2 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt).


Updates `@types/node` from 25.9.1 to 25.9.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `oxfmt` from 0.53.0 to 0.54.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.54.0/npm/oxfmt)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-minor-and-patch
- dependency-name: oxfmt
  dependency-version: 0.54.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 8, 2026 16:09
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 8, 2026
@clawsweeper

clawsweeper Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 12:26 PM ET / 16:26 UTC.

Summary
The PR updates the development dependency group for @types/node and oxfmt, along with the corresponding pnpm-lock.yaml entries.

Reproducibility: not applicable. this is a dependency maintenance PR rather than a reported reproducible issue.

Review metrics: 1 noteworthy metric.

  • Dependency surface: 2 files changed; 2 direct dev dependencies updated. The diff is confined to package metadata, so maintainers can focus review on dependency and lockfile integrity.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Wait for dependency-review and the normal pnpm validation checks on the PR head before merge.

Next step before merge

  • [P2] No repair lane is needed because there is no concrete patch defect; this should proceed through normal dependency review.

Security
Cleared: The diff only changes dev dependency metadata and lockfile resolutions; no unrelated scripts, workflows, permissions, publishing metadata, or credential-handling paths are changed.

Review details

Best possible solution:

Land the narrow bot update after the configured dependency-review workflow and normal pnpm checks pass on the exact PR head.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR rather than a reported reproducible issue.

Is this the best way to solve the issue?

Yes; updating package.json and the pnpm lockfile is the narrow maintainable path for this Dependabot dependency group update.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d5e764d12a82.

Label changes

Label changes:

  • add P3: This is routine development dependency maintenance with limited blast radius.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot is a bot PR, so the external-contributor real behavior proof gate does not apply.
  • remove rating: 🌊 off-meta tidepool: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

  • P3: This is routine development dependency maintenance with limited blast radius.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot is a bot PR, so the external-contributor real behavior proof gate does not apply.
Evidence reviewed

What I checked:

  • Repository policy read: The full 55-line AGENTS.md was read; it identifies this as a pnpm TypeScript CLI and says generated output should not be edited while package checks should use typecheck, lint, test, and build. (AGENTS.md:1, d5e764d12a82)
  • Current main still has the previous oxfmt specifier: Current main has oxfmt at ^0.53.0, so the PR's ^0.54.0 update is not already implemented on the default branch. (package.json:37, d5e764d12a82)
  • Current lockfile still has the previous resolved versions: Current main resolves @types/node to 25.9.1 and oxfmt to 0.53.0 in the root importer, while the PR context updates them to 25.9.2 and 0.54.0. (pnpm-lock.yaml:15, d5e764d12a82)
  • Dependabot group matches the submitted change: The repository's Dependabot config has a development-minor-and-patch npm group for development dependencies with minor and patch updates, matching this PR's scope. (.github/dependabot.yml:17, d5e764d12a82)
  • Package integrity review path exists: The dependency-review workflow runs on package and lockfile changes and fails on high-severity dependency findings when the Dependency Review API is available. (.github/workflows/dependency-review.yml:37, d5e764d12a82)
  • Package files have explicit code ownership: CODEOWNERS routes both package.json and pnpm-lock.yaml to @openclaw/openclaw-secops, which is the right reviewer group for this package-integrity surface. (.github/CODEOWNERS:18, d5e764d12a82)

Likely related people:

  • @openclaw/openclaw-secops: CODEOWNERS explicitly assigns package.json and pnpm-lock.yaml to this team for package-integrity review. (role: CODEOWNERS package integrity owner; confidence: high; commits: d407835d91c7; files: .github/CODEOWNERS, package.json, pnpm-lock.yaml)
  • Peter Steinberger: Blame on the original dependency and automation policy lines points to the v0.5.0 release baseline authored by Peter Steinberger. (role: introduced dependency surface; confidence: medium; commits: d407835d91c7; files: package.json, .github/dependabot.yml, .github/workflows/dependency-review.yml)
  • dependabot[bot]: The current oxfmt line and lockfile dependency state on main were last changed by the previous merged development dependency update. (role: recent dependency update author; confidence: medium; commits: d5e764d12a82; files: package.json, pnpm-lock.yaml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. and removed rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. labels Jun 8, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 8, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/development-minor-and-patch-b763f5d456 branch June 8, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants