Bump sitespeed.io from 40.4.1 to 41.0.1

[dependabot]

Bumps sitespeed.io from 40.4.1 to 41.0.1.

Release notes

Sourced from sitespeed.io's releases.

v41.0.1

Fixed

• Drop unused fast-crc32c dependency #4735
• Fix visual-progress curve and scrubber to match the data's semantics #4734

v41.0.0

Highlights

A small but breaking release: Node.js 22 is now the minimum, and --help has been redesigned around topic-filtered views instead of dumping every option in one screen.

Breaking

• Node.js 22+ is now required (was Node.js 20+) #4732.
• sitespeed.io --help no longer prints every option from all 26 option groups by default — it now shows a short curated list of common options plus the available topic names. Use sitespeed.io --help <topic> to drill into one topic, or sitespeed.io --help-all to reproduce the historical full dump (kept unchanged for scripts, and used to generate the published docs/config reference) #4730.

Changed

• coach-core bumped to 9.1.0, which pulls in pagexray 5.0.0 #4731.

Fixed

pagexray 5.0.0 (transitive via coach-core 9.1.0) brings several reporting fixes that show up directly in sitespeed.io output:

• HTTP/3 / HTTP/3.0 connections are now classified as h3 instead of falling through to h1, so the HTTP-version breakdown is correct on HTTP/3 traffic.
• Cache-Control is parsed case-insensitively (RFC 7234), so Max-Age=42 is read as 42 instead of 0 and No-Cache / No-Store are honoured — caching advice and expireStats no longer over-report problems on origins that capitalise the directive.
• missingCompression no longer flags already-gzipped assets (the encoding check was comparing a flattened header array against a string), accepts compound encodings like br, gzip, and recognises zstd. xml is now also considered for compression reporting.
• The Domain= cookie attribute is matched case-insensitively (RFC 6265), so third-party cookies set with lowercase domain= are detected.
• getMainDomain recognises common two-label public suffixes (.co.jp, .com.br, .com.au, …), so the auto-generated first-party regex stops misclassifying same-site requests on non-.co.uk country domains.
• defaultContentTypes now includes favicon, so every page has a consistent shape in the content-type breakdown.
• getDocumentRequests returns an empty array for pages with no matching entries instead of throwing.

v40.5.0

Added

• Scripts are now auto-detected on the command line, so --multi is no longer required to run them. Any positional argument that looks like a script — .js / .cjs / .mjs, or any file whose first non-empty line doesn't start with http — flips multi mode on automatically, and mixed inputs like login.js https://example.com logout.js just work. --multi is kept as an explicit override for the one case auto-detection can't cover: sharing a single browser session across a list of plain URLs. All existing invocations behave exactly as before #4725.

Fixed

• Gzipped HAR files are now written by piping JSON through createGzip straight to disk instead of materialising the JSON string, a Buffer copy of it, and the full gzipped Buffer all at once. For a 200 MB HAR that removes several hundred MB of avoidable peak RSS, multiplied when multiple pages finish around the same time. The storage layer now accepts a Readable in addition to strings and Buffers; existing callers are unaffected #4728.
• Gzipped JSON result files (Chrome traces, console logs, etc.) are read by streaming through createGunzip and collecting utf-8 chunks rather than buffering the whole gzipped payload, gunzipping it into another Buffer, then stringifying. The parsed object still has to fit in memory, but the throwaway gzipped and unzipped buffer copies are gone — meaningful on 50+ MB traces #4726.
• The sustainable plugin and the S3 plugin pick up the same streaming treatment: the sustainable plugin now uses the shared streaming gzipped-JSON helper instead of its own buffer-everything copy, and the S3 plugin streams uploads via createReadStream with an explicit ContentLength instead of loading each file fully into memory before PutObject. With 20 concurrent S3 uploads, RSS no longer spikes to ~20× the size of the largest file in the result bundle #4727.

Changelog

Sourced from sitespeed.io's changelog.

41.0.1 - 2026-05-16

Fixed

• Drop unused fast-crc32c dependency #4735
• Fix visual-progress curve and scrubber to match the data's semantics #4734

41.0.0 - 2026-05-15

Highlights

A small but breaking release: Node.js 22 is now the minimum, and --help has been redesigned around topic-filtered views instead of dumping every option in one screen.

Breaking

• Node.js 22+ is now required (was Node.js 20+) #4732.
• sitespeed.io --help no longer prints every option from all 26 option groups by default — it now shows a short curated list of common options plus the available topic names. Use sitespeed.io --help <topic> to drill into one topic, or sitespeed.io --help-all to reproduce the historical full dump (kept unchanged for scripts, and used to generate the published docs/config reference) #4730.

Changed

• coach-core bumped to 9.1.0, which pulls in pagexray 5.0.0 #4731.

Fixed

pagexray 5.0.0 (transitive via coach-core 9.1.0) brings several reporting fixes that show up directly in sitespeed.io output:

• HTTP/3 / HTTP/3.0 connections are now classified as h3 instead of falling through to h1, so the HTTP-version breakdown is correct on HTTP/3 traffic.
• Cache-Control is parsed case-insensitively (RFC 7234), so Max-Age=42 is read as 42 instead of 0 and No-Cache / No-Store are honoured — caching advice and expireStats no longer over-report problems on origins that capitalise the directive.
• missingCompression no longer flags already-gzipped assets (the encoding check was comparing a flattened header array against a string), accepts compound encodings like br, gzip, and recognises zstd. xml is now also considered for compression reporting.
• The Domain= cookie attribute is matched case-insensitively (RFC 6265), so third-party cookies set with lowercase domain= are detected.
• getMainDomain recognises common two-label public suffixes (.co.jp, .com.br, .com.au, …), so the auto-generated first-party regex stops misclassifying same-site requests on non-.co.uk country domains.
• defaultContentTypes now includes favicon, so every page has a consistent shape in the content-type breakdown.
• getDocumentRequests returns an empty array for pages with no matching entries instead of throwing.

40.5.0 - 2026-05-14

Added

• Scripts are now auto-detected on the command line, so --multi is no longer required to run them. Any positional argument that looks like a script — .js / .cjs / .mjs, or any file whose first non-empty line doesn't start with http — flips multi mode on automatically, and mixed inputs like login.js https://example.com logout.js just work. --multi is kept as an explicit override for the one case auto-detection can't cover: sharing a single browser session across a list of plain URLs. All existing invocations behave exactly as before #4725.

Fixed

• Gzipped HAR files are now written by piping JSON through createGzip straight to disk instead of materialising the JSON string, a Buffer copy of it, and the full gzipped Buffer all at once. For a 200 MB HAR that removes several hundred MB of avoidable peak RSS, multiplied when multiple pages finish around the same time. The storage layer now accepts a Readable in addition to strings and Buffers; existing callers are unaffected #4728.
• Gzipped JSON result files (Chrome traces, console logs, etc.) are read by streaming through createGunzip and collecting utf-8 chunks rather than buffering the whole gzipped payload, gunzipping it into another Buffer, then stringifying. The parsed object still has to fit in memory, but the throwaway gzipped and unzipped buffer copies are gone — meaningful on 50+ MB traces #4726.
• The sustainable plugin and the S3 plugin pick up the same streaming treatment: the sustainable plugin now uses the shared streaming gzipped-JSON helper instead of its own buffer-everything copy, and the S3 plugin streams uploads via createReadStream with an explicit ContentLength instead of loading each file fully into memory before PutObject. With 20 concurrent S3 uploads, RSS no longer spikes to ~20× the size of the largest file in the result bundle #4727.

Commits

• 31e346b 41.0.1
• b70347f new release
• 6d3b135 Fix visual-progress curve and scrubber to match the data's semantics (#4734)
• 5db680b Drop unused fast-crc32c dependency (#4735)
• 524adef Update to v41 (#4733)
• 869d6ea new release
• f8461cc 41.0.0
• bb57d94 new release
• ddfb0dc Make --help easier to navigate with topic-filtered views (#4730)
• f4aae1e Require Node.js 22 (#4732)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)