ci(deps): bump actions/setup-node from 4 to 5

[dependabot]

Bumps actions/setup-node from 4 to 5.

Release notes

Sourced from actions/setup-node's releases.

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in actions/setup-node#98
• Add support for indented eslint output by @​fregante in actions/setup-node#1245

Enhancement:

• Support private mirrors by @​marco-ippolito in actions/setup-node#1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-node#1262

New Contributors

• @​FloEdelmann made their first contribution in actions/setup-node#98
• @​fregante made their first contribution in actions/setup-node#1245
• @​marco-ippolito made their first contribution in actions/setup-node#1240

Full Changelog: actions/setup-node@v4...v4.4.0

... (truncated)

Commits

• a0853c2 Bump actions/checkout from 4 to 5 (#1345)
• b7234cc Upgrade action to use node24 (#1325)
• d7a1131 Enhance caching in setup-node with automatic package manager detection (#1348)
• 5e2628c Bumps form-data (#1332)
• 65becef Bump undici from 5.28.5 to 5.29.0 (#1295)
• 7e24a65 Bump uuid from 9.0.1 to 11.1.0 (#1273)
• 08f58d1 Bump @​octokit/request-error and @​actions/github (#1227)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

✅ Security Audit Results

No high/critical vulnerabilities found

📋 View Full Security Audit Report

Security Audit Report

Generated on: Mon Sep 8 09:43:29 UTC 2025

Summary

• Total dependencies: {
  "prod": 42,
  "dev": 470,
  "optional": 47,
  "peer": 0,
  "peerOptional": 0,
  "total": 511
  }
• Development dependencies: 0

Vulnerabilities

info: 0
low: 2
moderate: 0
high: 0
critical: 0
total: 2

Detailed Audit Output

# npm audit report

@eslint/plugin-kit  <0.3.4
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser - https://github.com/advisories/GHSA-xffm-g5w8-qvg7
fix available via `npm audit fix`
node_modules/@eslint/plugin-kit

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion

2 low severity vulnerabilities

To address all issues, run:
  npm audit fix
Audit completed with findings

Potential Fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.41.1
add @rollup/rollup-win32-ia32-msvc 4.41.1
add @rollup/rollup-win32-arm64-msvc 4.41.1
add @rollup/rollup-linux-s390x-gnu 4.41.1
add @rollup/rollup-linux-riscv64-musl 4.41.1
add @rollup/rollup-linux-riscv64-gnu 4.41.1
add @rollup/rollup-linux-powerpc64le-gnu 4.41.1
add @rollup/rollup-linux-loongarch64-gnu 4.41.1
add @rollup/rollup-linux-arm64-musl 4.41.1
add @rollup/rollup-linux-arm64-gnu 4.41.1
add @rollup/rollup-linux-arm-musleabihf 4.41.1
add @rollup/rollup-linux-arm-gnueabihf 4.41.1
add @rollup/rollup-freebsd-x64 4.41.1
add @rollup/rollup-freebsd-arm64 4.41.1
add @rollup/rollup-darwin-x64 4.41.1
add @rollup/rollup-darwin-arm64 4.41.1
add @rollup/rollup-android-arm64 4.41.1
add @rollup/rollup-android-arm-eabi 4.41.1
add @esbuild/win32-x64 0.25.5
add @esbuild/win32-ia32 0.25.5
add @esbuild/win32-arm64 0.25.5
add @esbuild/sunos-x64 0.25.5
add @esbuild/openbsd-x64 0.25.5
add @esbuild/openbsd-arm64 0.25.5
add @esbuild/netbsd-x64 0.25.5
add @esbuild/netbsd-arm64 0.25.5
add @esbuild/linux-s390x 0.25.5
add @esbuild/linux-riscv64 0.25.5
add @esbuild/linux-ppc64 0.25.5
add @esbuild/linux-mips64el 0.25.5
add @esbuild/linux-loong64 0.25.5
add @esbuild/linux-ia32 0.25.5
add @esbuild/linux-arm64 0.25.5
add @esbuild/linux-arm 0.25.5
add @esbuild/freebsd-x64 0.25.5
add @esbuild/freebsd-arm64 0.25.5
add @esbuild/darwin-x64 0.25.5
add @esbuild/darwin-arm64 0.25.5
add @esbuild/android-x64 0.25.5
add @esbuild/android-arm64 0.25.5
add @esbuild/android-arm 0.25.5
add @esbuild/aix-ppc64 0.25.5
change brace-expansion 1.1.11 => 1.1.12
change brace-expansion 2.0.1 => 2.0.2
change @eslint/plugin-kit 0.3.1 => 0.3.5
add @eslint/core 0.15.2
change brace-expansion 1.1.11 => 1.1.12
change brace-expansion 1.1.11 => 1.1.12

added 44 packages, changed 5 packages, and audited 513 packages in 911ms

111 packages are looking for funding
  run `npm fund` for details

# npm audit report

@eslint/plugin-kit  <0.3.4
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser - https://github.com/advisories/GHSA-xffm-g5w8-qvg7
fix available via `npm audit fix`


brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`





2 low severity vulnerabilities

To address all issues, run:
  npm audit fix
No automatic fixes available

---

This comment was automatically generated by the Security Audit workflow.

[github-actions]

🔍 Lint Check Results

ESLint Results

> @tryft/echarts@0.1.0 lint
> eslint src --ext ts,tsx --report-unused-disable-directives --max-warnings 0

Prettier Results

> @tryft/echarts@0.1.0 format:check
> prettier --check "src/**/*.{ts,tsx,js,jsx,json,md}"

Checking formatting...
[warn] src/components/GraphChart.tsx
[warn] src/components/TreemapChart.tsx
[warn] src/stories/GaugeChart.stories.tsx
[warn] Code style issues found in 3 files. Run Prettier with --write to fix.

---

This comment was automatically generated by the PR Checks workflow.

[github-actions]

📦 Bundle Size Report

Format	Size	Gzipped	Change
ESM	1664.95 KB	453.44 KB	➡️ No change
UMD	1149.08 KB	379.64 KB	-

Details

• ESM Bundle: Modern ES modules format, tree-shakable
• UMD Bundle: Universal module definition, compatible with CommonJS, AMD, and global variables
• Gzipped sizes represent what users actually download

Size Guidelines

• 🟢 Good: < 100 KB gzipped
• 🟡 Warning: 100-500 KB gzipped
• 🔴 Large: > 500 KB gzipped

Bundle sizes are automatically tracked on every commit to main.

[github-actions]

🚦 Bundle Size Limit Check

✅ ESM Bundle: 453.44KB is within limit of 500KB
✅ UMD Bundle: 379.64KB is within limit of 600KB

These limits help maintain reasonable bundle sizes for end users.

[github-actions]

🔨 Build Check Results

Library Build

> @tryft/echarts@0.1.0 build
> tsc && vite build

vite v6.3.5 building for production...
transforming...
✓ 1145 modules transformed.
rendering chunks...
computing gzip size...
dist/index.esm.js  1,704.91 kB │ gzip: 463.72 kB
dist/index.umd.js  1,176.67 kB │ gzip: 389.89 kB
✓ built in 6.13s
 // Truncate to last 1000 chars

Storybook Build

: 160.65 kB
storybook-static/assets/BaseEChart-BLQ9tw5u.js                1,039.52 kB │ gzip: 344.66 kB
storybook-static/assets/iframe-X-XMsM58.js                    1,279.53 kB │ gzip: 356.83 kB

(!) Some chunks are larger than 500 kB after minification. Consider:
- Using dynamic import() to code-split the application
- Use build.rollupOptions.output.manualChunks to improve chunking: https://rollupjs.org/configuration-options/#output-manualchunks
- Adjust chunk size limit for this warning via build.chunkSizeWarningLimit.
✓ built in 12.62s
info => Preview built (15 s)
info => Output directory: /home/runner/work/tryft-echarts/tryft-echarts/storybook-static

attention => Storybook now collects completely anonymous telemetry regarding usage.
This information is used to shape Storybook's roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://storybook.js.org/telemetry

 // Truncate to last 1000 chars

Test Results

> @tryft/echarts@0.1.0 test
> npm run type-check && npm run lint


> @tryft/echarts@0.1.0 type-check
> tsc --noEmit


> @tryft/echarts@0.1.0 lint
> eslint src --ext ts,tsx --report-unused-disable-directives --max-warnings 0

 // Truncate to last 1000 chars

Bundle Size Analysis

• ESM Bundle: 1664.95 KB
• UMD Bundle: 1149.08 KB

Gzipped Sizes

• ESM Bundle (gzipped): 453.44 KB
• UMD Bundle (gzipped): 379.64 KB

---

This comment was automatically generated by the PR Checks workflow.

[github-actions]

🔀 Merge Simulation Results

Merge Attempt

Automatic merge went well; stopped before committing as requested

Post-Merge Testing

Testing merged state...

> @tryft/echarts@0.1.0 prepare
> husky


added 468 packages, and audited 469 packages in 4s

111 packages are looking for funding
  run `npm fund` for details

2 low severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

> @tryft/echarts@0.1.0 build
> tsc && vite build

vite v6.3.5 building for production...
transforming...
✓ 1145 modules transformed.
rendering chunks...
computing gzip size...
dist/index.esm.js  1,704.91 kB │ gzip: 463.72 kB
dist/index.umd.js  1,176.67 kB │ gzip: 389.89 kB
✓ built in 6.59s

> @tryft/echarts@0.1.0 test
> npm run type-check && npm run lint


> @tryft/echarts@0.1.0 type-check
> tsc --noEmit


> @tryft/echarts@0.1.0 lint
> eslint src --ext ts,tsx --report-unused-disable-directives --max-warnings 0

 // Truncate to last 1500 chars

---

This comment was automatically generated by the PR Checks workflow.

[github-actions]

📋 PR Checks Summary

Check	Status	Result
Lint Check	✅	success
Build Check	✅	success
Merge Simulation	✅	success

🎉 All checks passed! This PR is ready for review.

---

This summary was automatically generated by the PR Checks workflow.

[dependabot]

Superseded by #19.