build(deps-dev): bump monocart-coverage-reports from 2.12.9 to 2.12.11

[dependabot]

Bumps monocart-coverage-reports from 2.12.9 to 2.12.11.

Changelog

Sourced from monocart-coverage-reports's changelog.

• 2.12.11

  • fixed child process crash when the tested code spawns a subprocess with a different cwd (NODE_OPTIONS register path is now absolute)

• 2.12.10

  • updated dependencies

Commits

• d7b4588 updated version: 2.12.10 => 2.12.11
• 89f15fb update docs
• 139aaa4 update docs
• fd3124d fix types
• 70cd882 update docs
• 748ed1e update docs
• 8a420d0 update docs
• cb91354 Merge pull request #125 from cenfun/issue-194
• 6ddae34 fix Codacy Static Code Analysis
• e3cc46e changelog
• Additional commits viewable in compare view

---

Note

Low Risk
Dev-only dependency bump with no runtime or product code changes; low risk aside from verifying coverage merge still works in CI.

Overview
Bumps the dev dependency monocart-coverage-reports from 2.12.9 to 2.12.11 in injected/package.json, with the lockfile refreshed for that package and its updated transitive dependencies (e.g. acorn-walk, console-grid, foreground-child).

2.12.11 fixes a child-process crash when covered code spawns a subprocess with a different working directory (coverage registration now uses an absolute NODE_OPTIONS path). 2.12.10 was mainly dependency updates. No application source changes—only tooling used for merged coverage reports (e.g. merge-coverage.js).

^{Reviewed by Cursor Bugbot for commit acc8c35. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11
Commit	2d1aff4a98
Updated	May 26, 2026 at 8:52:46 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#2d1aff4a987e78938b2e5041114cf5ea1acbd6e0

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "2d1aff4a987e78938b2e5041114cf5ea1acbd6e0")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.11
git -C submodules/content-scope-scripts checkout 2d1aff4a987e78938b2e5041114cf5ea1acbd6e0

[cursor]

Stale comment

Web Compatibility Assessment

• injected/package.json (L59-L59) — info: monocart-coverage-reports was bumped in devDependencies only. This package is used by coverage/reporting scripts, not by injected runtime bundles, so no direct impact to API surface fidelity, prototype shims, DOM behavior, feature lifecycle (load/init/urlChanged), or platform runtime behavior.
• package-lock.json (L61-L61, L7213-L7257) — info: lockfile update is consistent with the devDependency bump and remains dev: true; no runtime dependency graph change for page-injected code.
• package-lock.json (L2200-L2211, L3476-L3481, L3980-L3985, L7028-L7033) — info: transitive bumps (acorn-walk, console-grid, eight-colors, lz-utils) are coverage-tool transitive deps only; none touch injected/src/features, wrapper/shim utilities, entry points, or browser-facing contracts.

Security Assessment

• injected/package.json + package-lock.json (ranges above) — info: no changes to captured-globals, wrapper-utils, DDGProxy, message bridge, transport origin checks, or config-gating paths. No new postMessage, CustomEvent, dynamic code execution, or network exfiltration paths introduced in injected runtime.
• package-lock.json (L7237-L7251) — info: nested foreground-child update is still dev-only and constrained to tooling execution context, not hostile-page runtime context.

Risk Level

Low Risk — dependency-only dev tooling update with no modifications to injected runtime code paths, browser API overrides, messaging boundaries, or security-sensitive initialization logic.

Recommendations

1. Run the injected coverage workflow once (npm run coverage-int + npm run coverage-report) to validate report generation/output compatibility after the monocart bump.
2. Optional hardening alternative: pin monocart-coverage-reports to an exact version (instead of caret) if you want deterministic tooling behavior across reinstalls.
3. Keep this class of tooling-only bumps isolated from runtime feature changes in PRs to preserve clear compatibility/security review boundaries.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Risk Review: monocart-coverage-reports 2.12.9 -> 2.12.11

Confirmed concern (moderate): coverage path is not exercised in PR CI

• This package is only consumed by injected/scripts/merge-coverage.js via CoverageReport.
• That script is executed by npm run coverage-report -w injected in .github/workflows/coverage.yml.
• .github/workflows/coverage.yml only runs on schedule and workflow_dispatch, not pull_request.
• Result: regressions from this update can merge without PR-time signal, then fail later in nightly/manual coverage runs.

Uncertain concerns (needs validation)

• Upstream changelog for 2.12.11 says: "fixed child process crash when the tested code spawns a subprocess with a different cwd". This is likely a positive fix, but behavior changed in child-process handling; run coverage workflow once to confirm no environment-specific side effects.
• Transitive change includes foreground-child major bump (3.x -> nested 4.0.3) and license change on that nested package (BlueOak-1.0.0). Not a runtime app risk (dev-only path), but worth confirming against internal license policy.

Dependency necessity / alternatives

• Keeping this dependency is reasonable: repo currently relies on it to merge c8 + Playwright V8 coverage formats in injected/scripts/merge-coverage.js.
• Alternative follow-up (separate PR): add fixture-based unit tests for merge-coverage.js to reduce reliance on scheduled workflow for validation.

Suggested separate PR (no changes on this PR)

1. Add a lightweight PR-triggered coverage merge smoke test (or path-filtered job) that runs npm run coverage-report -w injected against fixture coverage JSON.
2. Add unit tests around merge-coverage.js parsing/filters so monocart-coverage-reports API compatibility is validated on every PR.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Follow-up created for the mitigation discussed above: #2653

It adds a PR-time CI smoke step (npm run coverage-report -w injected) so future monocart-coverage-reports updates are validated before merge.

View PR

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 24 Apr 2026 00:24:04 GMT

[cursor]

Stale comment

Web Compatibility Assessment

• injected/package.json (56-59) — info: Change is limited to a devDependency version bump (monocart-coverage-reports ^2.12.9 → ^2.12.11). No injected runtime feature code, wrapper utilities, API shims, or platform entry points are modified, so no direct browser API surface/prototype-chain compatibility regression is introduced.
• package-lock.json (7211-7260, plus transitive lockfile entries at 2198-2204, 3474-3480, 3978-3984, 7026-7032) — info: Lockfile-only updates for coverage tooling and its transitive packages (acorn-walk, console-grid, eight-colors, lz-utils, foreground-child, monocart-locator). These are build/test-time dependencies and do not execute in page context; no change to site-facing behavior.

Security Assessment

• injected/package.json (56-59) — info: No new page-context logic paths; no impact to captured globals hygiene, message bridge trust boundaries, origin validation, or iframe security controls.
• package-lock.json (7211-7260) — info: Dependency graph changes are scoped to dev tooling (dev: true), with no modifications to injected/src/ runtime code. No new postMessage, dynamic code execution, config trust, or prototype attack surface in injected scripts.

Risk Level

Low Risk — This PR is dependency/lockfile-only for development coverage tooling and does not modify runtime injection, compatibility wrappers, or security-critical message/config pathways.

Recommendations

1. Run coverage-generation CI smoke validation (injected test workflow that invokes monocart-coverage-reports) to catch tooling contract changes from transitive updates (notably foreground-child major bump).
2. Keep this PR scoped to tooling only (no runtime rebundling artifacts) so rollback remains trivial if coverage/report formatting behavior changes.
3. If desired for defense-in-depth, add/maintain a CI assertion that production injected bundles are byte-identical for devDependency-only PRs.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Confirmed Concern

1. monocart-coverage-reports is not exercised by required PR CI in this repo.
   • This dependency is only used by injected/scripts/merge-coverage.js (via npm run coverage-report -w injected).
   • coverage-report is run in .github/workflows/coverage.yml, but that workflow triggers on schedule/workflow_dispatch, not pull_request.
   • pull_request checks in .github/workflows/tests.yml run unit/integration tests, but do not run coverage-report.

Impact: regressions in coverage merge/report generation can be merged undetected on dependency bumps.

Changelog/Delta Assessment

• Upstream changelog:
  • 2.12.10: dependency updates
  • 2.12.11: fix for child-process crash when subprocess cwd differs (absolute NODE_OPTIONS register path)
  • Source: CHANGELOG.md
• Lockfile also introduces transitive updates including foreground-child 3.x -> 4.x (major), monocart-locator 1.0.2 -> 1.0.3, and parser/util package updates.

Uncertain Concerns (assumptions + validation needed)

• foreground-child major bump is transitive/dev-only here; likely low runtime risk for app code, but behavior changes could affect coverage tooling subprocess behavior.
• Upstream includes internal logic changes (CLI path handling and object parsing logic), but this repo uses the API path, not mcr CLI. Low expected impact, still unverified in this repo’s PR CI.

Dependency Necessity

• Dependency is currently still needed: it is directly imported in injected/scripts/merge-coverage.js and used by coverage artifact workflows.
• Alternative (larger change): remove merged monocart reporting and rely on separate native reporters (c8 + Playwright artifacts), if merged V8 reporting is no longer required.

Suggested Follow-up (separate PR, not this Dependabot PR)

• Add a PR-triggered check that runs npm run coverage-report -w injected with fixture coverage input (or wire coverage.yml to pull_request for dependency files) so future bumps are validated in CI.

  

_{Sent by Cursor Automation: Review dependabot}

[jonathanKingston]

@dependabot recreate

[cursor]

Stale comment

Web Compatibility Assessment

• injected/package.json (59) — info: monocart-coverage-reports is bumped in devDependencies only. No injected runtime feature code, API wrappers/shims, platform entry points, or DOM lifecycle paths are changed.
• package-lock.json (61, 7602-7649) — info: lockfile changes are scoped to coverage-reporting tooling and transitive dev dependencies. These packages do not execute in hostile page context and do not alter browser-facing behavior.

No warning/error web compatibility findings.

Security Assessment

• injected/package.json + package-lock.json — info: no changes to captured-globals, wrapper-utils, DDGProxy, message bridge, transport origin checks, config-gating, iframe access, postMessage, dynamic code execution, or network paths.
• package-lock.json (7626-7649) — info: nested foreground-child@4.0.3 remains dev-only under the coverage tool; no injected runtime security surface is introduced.

No warning/error security findings.

Risk Level

Low Risk — dependency-only dev tooling update with no changes to injected page-world runtime code or security-sensitive initialization/messaging paths.

Recommendations

• No PR-blocking action from a web compatibility/security perspective.
• Validation performed: npm ls monocart-coverage-reports --workspace=injected resolves 2.12.11; npm run coverage-report --workspace=injected loads successfully and exits cleanly when no local coverage artifacts are present.
• Optional: run the full coverage-producing workflow (coverage-int followed by coverage-report) before merge if you want end-to-end report-format validation for the transitive tooling changes.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Web Compatibility Assessment

• injected/package.json (59) — info: monocart-coverage-reports is bumped in devDependencies only. No injected runtime feature code, API wrappers/shims, platform entry points, DOM lifecycle paths, or config-gated behavior are modified.
• package-lock.json (62, 7594-7640) — info: lockfile changes are scoped to coverage-reporting tooling and its transitive dev dependencies (acorn-walk, console-grid, eight-colors, foreground-child, lz-utils, monocart-locator). These do not execute in hostile page context and do not alter browser-facing contracts.

No warning/error web compatibility findings.

Security Assessment

• injected/package.json + package-lock.json — info: no changes to captured-globals, wrapper-utils, DDGProxy, message bridge, transport origin checks, config-gating, iframe access, postMessage, dynamic code execution, or network paths.
• package-lock.json (7618-7633) — info: nested foreground-child@4.0.3 remains dev-only under the coverage tool; no injected runtime security surface is introduced.

No warning/error security findings.

Risk Level

Low Risk — dependency-only dev tooling update with no changes to injected page-world runtime code or security-sensitive initialization/messaging paths.

Recommendations

• No PR-blocking action from a web compatibility/security perspective.
• Validation performed: npm view dependency metadata matches the lockfile deltas, npm ls monocart-coverage-reports --workspace=injected resolves 2.12.11, npm run coverage-report --workspace=injected loads successfully with no local coverage artifacts, and npm run build --workspace=injected passes with no working-tree changes.
• Optional end-to-end check: run the full coverage-producing workflow (coverage-int followed by coverage-report) if you want report-format validation beyond the smoke check.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Risk Review: monocart-coverage-reports 2.12.9 -> 2.12.11

Confirmed concern

• The changed package is still not exercised by normal PR CI. In this repo it is directly imported by injected/scripts/merge-coverage.js and run through npm run coverage-report -w injected, but .github/workflows/coverage.yml only triggers on schedule/workflow_dispatch; .github/workflows/tests.yml does not run coverage-report. A Monocart API/reporting regression could therefore merge before failing in nightly/manual coverage.

Changelog/diff impact

• Upstream changelog says 2.12.10 is dependency updates and 2.12.11 fixes a child-process crash when subprocess cwd differs by making the NODE_OPTIONS register path absolute.
• The lockfile confirms transitive coverage-tooling updates: acorn-walk, console-grid, eight-colors, lz-utils, monocart-locator, and a nested foreground-child@4.0.3.
• Runtime app risk is low: this is a devDependency/lockfile-only change with no injected/src or special-pages runtime changes.

Uncertain concerns

• foreground-child moves across a major version in Monocart’s nested dependency graph. It is dev-only here, but subprocess/signal handling changes could affect coverage execution, so CI should validate with actual coverage input.
• Nested foreground-child@4.0.3 is BlueOak-1.0.0 while the existing top-level foreground-child@3.3.1 remains ISC; validate against internal license allowlists if BlueOak is not already accepted.

Validation performed

• npm ci
• npm run build -w injected && npm run test-unit-coverage -w injected && npm run coverage-report -w injected

These passed on the PR head; Monocart generated the unit coverage report with 213 entries. npm audit did not flag the packages changed by this diff by name.

Dependency necessity / alternatives

• Keeping the direct devDependency is appropriate while injected/scripts/merge-coverage.js imports CoverageReport directly; it should not rely on c8’s dependency graph.
• Larger alternative: drop merged Monocart reporting and keep separate c8 + Playwright coverage artifacts, if merged V8 reporting is no longer needed.

Separate fix PR

• A mitigation PR already exists: #2653 (ci: add PR smoke test for injected coverage merge tooling). I did not push to this Dependabot branch. If #2653 is not the desired path, the minimal fix is a PR-triggered coverage-report smoke path backed by fixture or unit coverage input.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Dependency review for monocart-coverage-reports 2.12.9 -> 2.12.11:

No confirmed blocking concerns found.

Confirmed scope:

• Repo usage is limited to injected/scripts/merge-coverage.js, which imports CoverageReport programmatically for generated coverage artifacts. This is not shipped runtime code.
• Upstream changelog says 2.12.10 is dependency updates and 2.12.11 fixes child-process coverage registration by making the NODE_OPTIONS register path absolute.
• Published package diff also changes CLI/config parsing (strToObj no longer uses new Function, now JSON-parses JSON-like strings), updates type declarations, and bumps transitive deps including foreground-child, lz-utils, and monocart-locator.

Residual risks / validation notes:

• The CLI/config parsing change could break consumers relying on JS object-literal CLI strings with unquoted keys/trailing commas. I did not find this repo using the mcr CLI or string config parsing, so this looks non-impacting here.
• The coverage workflow is scheduled/manual rather than PR-triggered, so PR CI does not directly exercise merge-coverage. I validated locally after npm ci installed 2.12.11 by running npm run coverage-report -w injected; it generated the unit coverage report successfully.
• npm audit still reports existing unrelated dev-tree advisories, but the changed Monocart subtree in this PR did not add a directly flagged advisory in the audit output.

No separate fix PR drafted because I did not identify a repo change needed for this update.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency Risk Review: monocart-coverage-reports 2.12.9 -> 2.12.11

Confirmed concern

• The package is still not exercised by normal PR CI. It is directly imported by injected/scripts/merge-coverage.js and run through npm run coverage-report -w injected, but .github/workflows/coverage.yml only runs on schedule/workflow_dispatch, and .github/workflows/tests.yml does not run coverage-report. A future Monocart API/reporting regression could merge before nightly/manual coverage catches it.

Changelog/diff impact

• Upstream changelog: 2.12.10 updates dependencies; 2.12.11 fixes child-process crashes when subprocess cwd differs by making the NODE_OPTIONS register path absolute.
• Lockfile confirms transitive coverage-tooling updates, including acorn-walk, console-grid, eight-colors, lz-utils, monocart-locator, and nested foreground-child@4.0.3.
• Runtime product risk is low: this is devDependency/lockfile-only and does not change injected runtime code, message boundaries, browser API shims, or special-pages code.

Uncertain concerns

• foreground-child moves across a major version in Monocart's nested dependency graph. It is dev-only here, but subprocess/signal behavior is exactly the kind of surface coverage tooling depends on, so a PR-time smoke check would be useful.
• The nested foreground-child@4.0.3 entry is BlueOak-1.0.0; validate against internal license allowlists if BlueOak is not already accepted.

Validation performed

• npm ci
• npm explain monocart-coverage-reports resolves 2.12.11
• node -e "import('monocart-coverage-reports')..." confirms CoverageReport import
• npm run build -w injected
• npm run test-unit-coverage -w injected passed: 929 specs, 0 failures, 16 pending
• npm run coverage-report -w injected passed and generated the unit coverage report with 214 entries
• npm audit --include=dev reports existing advisories, but not against the packages changed by this diff by name

Dependency necessity / alternatives

• Keeping the direct devDependency is appropriate while merge-coverage.js imports CoverageReport directly to merge/generate V8 coverage reports.
• Larger alternative: remove merged Monocart reporting and keep separate c8 plus Playwright coverage artifacts if merged V8 reporting is no longer needed.

Separate fix PR

• A separate mitigation PR already exists: #2653 adds a PR-time smoke step for npm run coverage-report -w injected. I did not push changes to this Dependabot branch.

  

_{Sent by Cursor Automation: Review dependabot}