chore: dep refresh 2026 05#1365
Open
lidel wants to merge 25 commits into
Open
Conversation
none of the three are imported anywhere under add-on/, test/, scripts/, or webpack.config.js. only uri-to-multiaddr is still used (lib/ipfs-companion.js).
bump @babel/core, @babel/preset-env, babel-loader, webpack, mini-css-extract-plugin, terser, terser-webpack-plugin, ts-loader. all SemVer-safe; closes the serialize-javascript HIGH advisory via terser-webpack-plugin.
cli-only majors with no source-level integration: web-ext 7→10, webpack-cli 6→7, webpack-bundle-analyzer 4→5, cross-env 7→10, shx 0.3→0.4, patch-package 6→8, get-firefox 7→8. closes addons-linter, request, and form-data CRITICAL/HIGH advisories transitively via web-ext 10.
mocha 10→11 (drops node 14/16; .nvmrc is 22), c8 7→11, @istanbuljs/esm-loader-hook 0.2→0.3, selenium-webdriver 4.35→4.43, @types/debug, @types/selenium-webdriver, bufferutil, utf-8-validate. closes diff and js-yaml HIGH/MOD advisories transitively via mocha.
debug 4.3→4.4, is-ip 5.0.0→5.0.1, filesize 10→11, it-all 2→3, assert 2.0→2.1, exponential-backoff 3.1.2→3.1.3, url 0.11.0→0.11.4. verified call sites unchanged: filesize uses named import, it-all uses default import.
e2e.yml hard-coded node 18 while ci.yml reads .nvmrc (22.19.0); the inconsistency would break under mocha@11 and webpack-cli@7, both of which require node >= 20. switch e2e.yml to read from .nvmrc and refresh actions/checkout@v4 + setup-node@v5 to match. bump engines.node to >=20.18.0 (current LTS floor) and engines.npm to the bundled 10.8.2.
clean re-resolve of the dependency tree after the bumps above. no functional change beyond the package.json edits already landed; this commit just dedups and tidies the lockfile. npm audit before: 41 advisories (4 crit / 18 high / 14 mod / 5 low). npm audit after: 9 advisories (0 crit / 5 high / 3 mod / 1 low).
the toolchain refresh promoted the hoisted glob from v7 (default export) to v10 (named exports only), which broke \`build:rename-artifacts\` in ci with: SyntaxError: The requested module 'glob' does not provide an export named 'default' the script only needed to walk one directory level (build/<channel>/*.zip), so replace the dep with node:fs and node:path. also swap the deprecated fs.rmdirSync(recursive) for fs.rmSync to silence DEP0147.
the previous patch (74c7b33) used \`file.split('/')\` to peel off the channel directory, which broke on windows where path.join returns backslash-separated paths. ci on windows- latest produced paths like \`build\\build\\chromium\\..._undefined.zip\`. derive the channel directly from the dirent and the filename from the stat entry, so we never re-parse a path string.
ipfs-companion has been pulling is-ipfs from an unmerged fork (ipfs/is-ipfs#5d6d1a2 on feat/support-inlined-dnslink-subdomains) since #961, because the published is-ipfs@2.0.0 does not recognise inlined DNSLink labels like \`en-wikipedia--on--ipfs-org\` as valid ipns subdomains. the fork patches isIpns() to un-inline the label before the FQDN-with-TLD check. a recent dep refresh that regenerated package-lock.json silently re-resolved is-ipfs@2.0.0 from the npm registry, dropping the fork patch and breaking these subdomain URLs: - https://en-wikipedia--on--ipfs-org.ipns.dweb.link/... - https://dnslink--site-com.ipns.dweb.link/... move the un-inlining into companion itself: a new unfoldInlinedDnslinkSubdomain() rewrites the inlined id to its fqdn form at the top of ipfsContentPath(), which is the canonical entry point used by both isIPFS subdomain detection and dnslink resolution. the existing dnsLabelToFqdn() helper does the actual label translation and is reused. with this in place we can stop carrying a fork branch and depend on the registry version of is-ipfs. context: ipfs/in-web-browsers#169
lru-cache moved to a named export from v10 onward. swap
\`import LRU from 'lru-cache'\` for \`import { LRUCache } from 'lru-cache'\`
in dnslink.js, ipfs-request.js, and ipfs-companion.js, and rename
\`new LRU(...)\` -> \`new LRUCache(...)\`. constructor options
(max, ttl) are unchanged.
also pin webpack ProvidePlugin's process polyfill to
\`process/browser.js\` (with extension); lru-cache's esm bundles
declare \`type: module\`, and webpack 5 requires fully-specified
imports under that mode.
is-ipfs v7+ is esm-only and dropped the default export, so switch \`import isIPFS from 'is-ipfs'\` -> \`import * as isIPFS from 'is-ipfs'\` in all five call sites. method names and signatures are unchanged. inlined dnslink labels (\`en-wikipedia--on--ipfs-org\` etc.) became native in v3+, so drop the \`unfoldInlinedDnslinkSubdomain\` helper that 737e462 added as a stand-in for the old fork. companion's flow now relies on the upstream behaviour. remove the bespoke \`add-on/src/types/global.d.ts\` declaration; v8 ships its own types via \`dist/src/index.d.ts\` and the override would shadow them.
two sinon@22 behaviour changes needed accommodation: - \`useFakeTimers\` now throws on a second install when one is already active. the global fake clock in \`test/setup/mocha-setup.js\` collided with a per-test \`sinon.useFakeTimers()\` in \`blockOrObserve.test.ts\`. drop the global install and let the one test that needs fake timers manage them itself (install in the test body, restore in finally). - the default \`toFake\` set now includes \`setImmediate\` and \`queueMicrotask\`, which deadlocks node's fetch() in dnslink/gateway tests that hit the real network. the \`formatImportDirectory\` test still wants a deterministic Date, so it now installs a Date-only fake clock in a before/after pair scoped to that describe block. no production code touched.
\`scripts/fetch-webui-from-gateway.js\` was a fallback used while the webui ipfs-fetch path was unreliable; the script header has flagged it as unused since #679, and no npm script or workflow invokes it. drop the script and its three exclusive consumers from devDependencies: - tar 6.1.12 (HIGH: dos + path traversal advisories) - request-progress 3.0.0 (pulls deprecated request) - download-cli 1.1.1 (HIGH: trim-newlines/meow chain) \`download-cli\` had no users in the repo at all. mocha@11.7.5 still pins old diff and serialize-javascript, both flagged HIGH/LOW. there is no newer mocha that fixes them, so add npm overrides to lift them to: - diff 9.0.0 (advisory range fixed: <8.0.3) - serialize-javascript 7.0.5 (advisory range fixed: <7.0.5) net result: \`npm audit\` reports 0 vulnerabilities (down from 41 on main: 4 critical / 18 high / 14 moderate / 5 low).
v11+ rewrote the component: the root element became a <button>
with mdc-switch__handle / __handle-track / __ripple / __icons,
dropping the v10 mdc-switch__track / __thumb / __native-control
markup that switch-toggle.{js,css} target. result was unstyled
toggles on the options page.
adapting to the new api needs a markup rewrite (and the input
checkbox is gone, so the choo onchange wiring would change too).
keep this dep on 10 until that work is scoped on its own.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Catch-up dep bump after months of drift. No feature changes.
Bumps
Notable majors:
is-ipfs2→8,kubo-rpc-client5→6,mocha10→11,chai4→6,sinon13→22,typescript4.9→5.9,lru-cache7→11,webextension-polyfill0.10→0.12,web-ext7→10,webpack-cli6→7,css/style-loader,@material/switch, matching@types/*.engines.noderaised to current LTS;e2e.ymlnow reads.nvmrc.Removed
multiaddr,multiaddr-to-uri,p-wait-for,download-cli(unused).scripts/fetch-webui-from-gateway.jsplus its private depstarandrequest-progress(header flagged it dead since #679).Notable
is-ipfsfork pin removed. We've been pullingis-ipfs@2.0.0from the unmergedipfs/is-ipfs#5d6d1a2branch since fix: inlined DNSLink names and context actions for URIs #961, for inlined-DNSLabel support. The pin only lived in the lockfile, so any regen silently dropped it.is-ipfs@8ships that handling natively.is-ipfs@8is ESM-only with no default export;lru-cache@11exports{ LRUCache };sinon@22forbids double-installing fake timers, so the global fake clock inmocha-setup.jsis gone.Audit
npm auditclean. Twonpm overrides(diff,serialize-javascript) handle transitives mocha still pins to vulnerable versions (upstream considers them false positives).Verification
CI green on Ubuntu / macOS / Windows. Smoke-tested in Chromium and Firefox.