-
Notifications
You must be signed in to change notification settings - Fork 33
chore(deps): consolidate 16 dependabot PRs — eslint v10, vitest v4, cspell v9, and ecosystem updates #295
Copy link
Copy link
Open
Labels
Description
Summary
Consolidate all 16 open dependabot PRs (#271–#294) into a single integration branch. The updates span four ecosystems (NPM, Python, Rust, GitHub Actions) and three NPM scopes (root, docs/_server, docs/assets/js), with several major version bumps requiring manual intervention for breaking changes.
Motivation
Dependabot PRs have accumulated and share overlapping lock file scopes, making individual merges prone to conflicts. Batching them into a single branch reduces churn, ensures cross-dependency compatibility, and allows breaking changes to be addressed holistically.
Scope of Work
ESLint v10 Migration
- Upgrade eslint from v9 to v10 across all three NPM scopes
- Add
@eslint/jsas an explicit devDependency (decoupled from eslint v10 bundle) - Verify flat config (
eslint.config.js) requires no structural changes - Minimum Node.js raised to
^20.19.0 || ^22.13.0 || >=24
Vitest v4 and Vite 8
- Upgrade vitest to 4.x and @vitest/coverage-v8 to 4.x in
docs/_serveranddocs/assets/js - Adapt
docs/assets/js/vitest.config.jsfor three breaking changes:- Reporter
'basic'renamed to'default' poolOptions.threadsflattened to top-levelmaxThreads/minThreadsexperimentalVmThreadsremoved
- Reporter
- Migrate
docs/_server/vitest.config.jsanddocs/_server/vitest.integration.config.jsfrom deprecatedpoolOptions.forksto top-levelmaxWorkers
cspell v9
- Upgrade cspell from v8 to v9 in root scope
- Minimum Node raised to 20
Python Dependency Updates
- Update root
requirements.txt: python-hcl2 4.3.0→7.x, checkov 3.2.0→3.2.510+ - Update
src/500-application/506-ros2-connector/services/requirements.txt: opencv-python 4.10→4.13, psutil 6→7.x, pytest 8→9, pytest-cov 5→7
Rust Security Patches
- Apply rustls-webpki patch (TLS certificate verification fix) in
502-rust-http-connector - Apply tar security fix in
507-ai-inference
Other NPM Updates
- Bump markdownlint-cli to 0.48.x (root)
- Bump happy-dom to 20.x (
docs/_serveranddocs/assets/js) - Upgrade ajv-formats v2→v3 in
docs/_server(enforces timezone indate-timeformat) - Upgrade express-rate-limit v6→v8 in
docs/_server
GitHub Actions
- Update azure/login action hash in
cluster-test-terraform.yml
Known Post-merge Risks
These regressions surfaced during a prior integration attempt and should be validated:
js-yamlv4 override indocs/_server/package.jsoncan breakgray-matter(requires^3.13.1) — do not add overrides forjs-yamluuidmay be lost as a transitive dependency after lock file regeneration — add as explicit dependency indocs/_serverparseStepsFromMarkdownindocs/_server/services/learning-path-manifest.jsneeds a regex pattern for bold-title format (- [ ] [**Kata: ...**](../katas/...))- CPU performance test in
docs/_server/tests/performance/file-watch.test.jsmay be flaky in container environments — widen tolerance if needed - Boundary assertions in
docs/_server/tests/integration/learning-path-selections.test.jsshould usetoBeGreaterThanOrEqualnottoBeGreaterThan - Progress endpoint test in
docs/_server/tests/integration/progress-endpoint.test.jsmust match current API response format ({ progressData: [...] })
Merge Strategy
- Merge in risk-prioritized sequence: security patches first, then isolated changes, then scope-grouped NPM updates
- Resolve lock file conflicts using delete-and-reinstall strategy within each NPM scope
- Address breaking changes with manual fix commits after each major version merge
Validation Checklist
-
npm install && npm run lintpasses at root -
cd docs/_server && npm install && npm run lint && npm testpasses -
cd docs/assets/js && npm install && npm run lint && npm testpasses -
npm run mdlintpasses at root -
npm run cspellpasses at root -
pip install -r requirements.txtsucceeds - Rust crates build successfully
Related PRs
#271, #272, #273, #274, #275, #276, #277, #278, #279, #280, #282, #284, #285, #286, #293, #294
Reactions are currently unavailable