build(deps-dev): bump @types/node from 25.9.0 to 25.9.1 in the typescript group

[dependabot]

Bumps the typescript group with 1 update: @types/node.

Updates @types/node from 25.9.0 to 25.9.1

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Note

Low Risk
Dev-only type definitions with no runtime or security-sensitive code changes.

Overview
Bumps the @types/node dev dependency from 25.9.0 to 25.9.1 in injected/package.json and refreshes the lockfile entry (resolved tarball and integrity hash). This is a patch-level DefinitelyTyped update only; no application or build script source changes.

^{Reviewed by Cursor Bugbot for commit 64808c1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[cursor]

Web Compatibility Assessment

No findings. The diff only updates the devDependency @types/node from ^25.9.0 to ^25.9.1 in injected/package.json and the matching lockfile entry in package-lock.json. No injected runtime code, API hooks, wrapper utilities, DOM behavior, platform entry points, or remote-config paths are changed.

Security Assessment

No findings. This is a type-only devDependency update with no runtime bundle impact and no changes to captured globals, messaging, bridge/origin checks, iframe handling, or network/postMessage behavior. The published package metadata keeps the same undici-types dependency range, and the lockfile integrity matches the published 25.9.1 artifact.

Risk Level

Low Risk: dependency metadata only, dev-only type package, no runtime code path affected.

Recommendations

No PR changes recommended.

Verification performed:

• npm view @types/node@25.9.0 dependencies --json
• npm view @types/node@25.9.1 dependencies --json
• npm view @types/node@25.9.1 dist.integrity --json
• npm ci --ignore-scripts
• npm run build-surrogates --workspace=injected && npm run build-locales --workspace=injected && npm run tsc

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency risk assessment: no dependency-specific concerns found.

Evidence reviewed:

• The PR only bumps @types/node from 25.9.0 to 25.9.1 in injected/package.json and package-lock.json.
• npm diff --diff @types/node@25.9.0 --diff @types/node@25.9.1 shows only README/package metadata plus one type-definition change in stream/iter.d.ts: StatelessTransformFn is widened to allow Promise<TransformResult | null>. No runtime JS, binaries, install scripts, or dependency range changes are introduced.
• Repo search found no use of stream/iter, node:stream, StatelessTransformFn, or TransformResult, so the changed type surface does not appear to affect current code directly.
• @types/node is still needed: this workspace type-checks Node-based scripts/tests that import fs, path, node:*, use process, etc.
• Supply-chain checks: lockfile integrity matches the npm registry metadata for 25.9.1; license remains MIT; dependency remains undici-types >=7.24.0 <7.24.7; npm audit signatures @types/node@25.9.1 reported verified registry signatures.

Validation performed:

• npm run build-locales -w injected && npm run build-surrogates -w injected && npm run tsc && npm run tsc-strict-core passed locally.
• Current CI failures I saw are not dependency/type failures: build completed generation and failed pushing pr-releases/... with a remote commit_refs error, and sync failed because ASANA_ACCESS_TOKEN was not supplied. Unit/integration checks observed so far were passing or still pending.

No fix PR drafted because I did not find a code or dependency issue that needs a separate change.

  

_{Sent by Cursor Automation: Review dependabot}