Skip to content

build(deps-dev): bump @types/node from 25.9.3 to 26.0.1#144

Merged
steipete-oai merged 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.0
Jun 30, 2026
Merged

build(deps-dev): bump @types/node from 25.9.3 to 26.0.1#144
steipete-oai merged 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps @types/node from 25.9.3 to 26.0.1.

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 16:08
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@clawsweeper

clawsweeper Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 29, 2026, 3:24 PM ET / 19:24 UTC.

Summary
Dependabot bumps the direct development dependency @types/node from 25.9.3 to 26.0.0 and refreshes the pnpm lockfile.

Reproducibility: not applicable. this is dependency maintenance rather than a reported runtime bug. The relevant check is package metadata, lockfile scope, and validation under the supported runtime policy.

Review metrics: 2 noteworthy metrics.

  • Changed package surface: 2 files modified, 23 additions, 23 deletions. The diff is limited to package metadata and the pnpm lockfile, so the main review question is package compatibility rather than application behavior.
  • Runtime/type support split: engine >=22, typings 26.0.0. This version split is the concrete compatibility decision maintainers need to notice before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Have package-integrity owners confirm the Node typings policy before merge.

Risk before merge

  • [P1] Merging this PR would let TypeScript see Node 26 ambient APIs while package.json still advertises node >=22, so future source can accidentally typecheck code that is not portable to the minimum supported runtime.

Maintainer options:

  1. Confirm support-matrix intent (recommended)
    Have package-integrity owners confirm that Node 26 typings are intentional while the package engine remains >=22 before merging.
  2. Retarget to the support floor
    Close or retarget this Dependabot major update if TypeScript should continue enforcing compatibility with the minimum supported Node runtime.

Next step before merge

  • [P2] The remaining blocker is a maintainer package-policy decision about the Node typings support matrix, not an automated code repair.

Security
Cleared: No concrete security or supply-chain concern was found in the package/lockfile-only diff; dependency review and secret scanning passed on the PR head.

Review details

Best possible solution:

Keep the generated bump narrow and merge it only after package-integrity owners confirm whether the development type surface should track Node 26 or remain aligned with the minimum supported runtime.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is dependency maintenance rather than a reported runtime bug. The relevant check is package metadata, lockfile scope, and validation under the supported runtime policy.

Is this the best way to solve the issue?

Unclear as a final merge decision until maintainers confirm the support-matrix policy. If maintainers intentionally track Node 26 typings, the generated package and lockfile update is the narrowest implementation; otherwise the safer path is to close or retarget this major update.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 24763d26cdff.

Label changes

Label justifications:

  • P3: This is a low-risk dependency maintenance PR with no direct user-facing behavior change, but it still needs package-owner confirmation.
  • merge-risk: 🚨 compatibility: The PR changes the major version of Node ambient type definitions while the package still advertises support for Node 22 and newer.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate does not apply to this Dependabot bot dependency PR.
Evidence reviewed

What I checked:

  • Repository policy read: The full target AGENTS.md was read; it says to use pnpm with Node 22 or newer and names typecheck, lint, test, and build as the validation surface. (AGENTS.md:14, 24763d26cdff)
  • Current main dependency state: Current main still declares @types/node as ^25.9.3 and the package engine as node >=22, so the proposed update is not already on the default branch. (package.json:37, 24763d26cdff)
  • PR head package change: The PR head changes @types/node to ^26.0.0 while leaving engines.node at >=22. (package.json:37, 1473539f4dfc)
  • Lockfile scope: The PR lockfile resolves @types/node to 26.0.0 and updates the related peer-resolution entries; the PR diff is limited to package.json and pnpm-lock.yaml. (pnpm-lock.yaml:16, 1473539f4dfc)
  • CI support signal: The current CI workflow validates on Node 26, not a Node 22 matrix, so green CI does not by itself settle the advertised minimum-runtime compatibility question. (.github/workflows/ci.yml:20, 24763d26cdff)
  • Package integrity ownership: CODEOWNERS marks package.json and pnpm-lock.yaml as package integrity surfaces owned by @openclaw/openclaw-secops. (.github/CODEOWNERS:17, 24763d26cdff)

Likely related people:

  • Peter Steinberger: Blame and git log -S tie the current dependency block, the Node engine range, and prior @types/node history to this author. (role: dependency introducer and prior dependency updater; confidence: high; commits: 0cd24d07a262, 34f75dad9812, 88ba04e8006b; files: package.json, pnpm-lock.yaml)
  • Vincent Koc: Repository history ties this author to release/security automation, Dependabot configuration, CI, and current package-integrity ownership surfaces. (role: package automation and ownership contributor; confidence: medium; commits: 637d2bd1cf81, 24763d26cdff; files: .github/dependabot.yml, .github/workflows/ci.yml, .github/CODEOWNERS)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jun 22, 2026

Copy link
Copy Markdown

@dependabot rebase

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.9.3 to 26.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps-dev): bump @types/node from 25.9.3 to 26.0.0 build(deps-dev): bump @types/node from 25.9.3 to 26.0.1 Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/types/node-26.0.0 branch from 1473539 to 7c90593 Compare June 30, 2026 23:41
@steipete-oai steipete-oai merged commit bfe68d8 into main Jun 30, 2026
7 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/types/node-26.0.0 branch June 30, 2026 23:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant