Update dependencies#107
Merged
Merged
Conversation
Refresh the lockfile (which had drifted behind node_modules) and bump devDependency floors to the latest published versions: - @playwright/test 1.59.1 -> 1.61.0 - @types/chrome 0.1.42 -> 0.1.43 - @types/node 25.6.2 -> 25.9.3 - eslint 10.3.0 -> 10.5.0 - prettier 3.8.3 -> 3.8.4 - typescript-eslint 8.59.2 -> 8.61.1 - vitest 4.1.5 -> 4.1.9 The transitive sweep moves vite 8.0.12 -> 8.0.16, clearing a high-severity advisory (GHSA-fx2h-pf6j-xcff / GHSA-v6wh-96g9-6wx3). Add a shell-quote ^1.8.4 override to clear 4 critical advisories in the dev-only web-ext (Firefox) runner chain under wxt, without npm's suggested destructive wxt downgrade. Validated: lint, typecheck (source + tests), 157 unit tests, build, zip, and 40 e2e tests all pass.
cc99956 to
75ba30f
Compare
@playwright/test 1.61.0 requires chromium-1228, which is only present in the matching v1.61.0-noble Playwright Docker image. The e2e job was still pinned to v1.59.1-noble, so the browser binary was missing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refreshes the lockfile (it had drifted behind
node_modules, sonpm ciwould have downgraded) and bumps devDependency floors to the latest published versions. No source files change.Already latest, unchanged:
@eslint/js,eslint-config-prettier,typescript,wxt.Security
npm auditgoes from 6 vulnerabilities (1 high, 4 critical, 1 low) to 1 low:vite8.0.12 → 8.0.16, out of the vulnerable 8.0.0–8.0.15 range (Windowsfs.denybypass / NTLM hash disclosure).overrides: shell-quote ^1.8.4. The vulnerableshell-quoteis reached only through the dev-only Firefoxweb-extrunner chain underwxt; npm's suggested auto-fix would have downgraded wxt to 0.3.2 (destructive), so an override is used instead. API-stable, dev-only path this Chrome/Edge extension never executes.esbuilddev-server file-read (Windows-only) is only patched in 0.28.1, butwxtpinsesbuild@^0.27.1. Forcing it across the minor boundary risks breaking the build for a low-severity dev-only issue, so it's intentionally left.uuidoverride held at^11.1.1(latest 14.0.0 is a forced transitive 3-major jump with no security driver).Validation