Skip to content

chore(deps-dev): bump @types/node from 25.9.3 to 26.0.1#20

Merged
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.1
Jun 30, 2026
Merged

chore(deps-dev): bump @types/node from 25.9.3 to 26.0.1#20
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @types/node from 25.9.3 to 26.0.1.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.9.3 to 26.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@clawsweeper

clawsweeper Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed June 29, 2026, 1:19 PM ET / 17:19 UTC.

Summary
This branch bumps @types/node from 25.9.3 to 26.0.1 in package.json and refreshes pnpm-lock.yaml peer and transitive dev dependency entries.

Reproducibility: not applicable. this is a dependency-maintenance PR rather than a reported bug. The relevant check is package policy and type-baseline compatibility, not reproducing a runtime failure.

Review metrics: 3 noteworthy metrics.

  • Changed package files: 2 modified, 0 added, 0 removed. The review surface is limited to package.json and pnpm-lock.yaml.
  • Direct dependency change: 1 direct dev dependency major bump. @types/node controls the ambient Node declarations used by the normal typecheck path.
  • Visible PR checks: 13 passed, 1 skipped. CI supports patch quality, but package policy still needs maintainer attention.

Root-cause cluster
Relationship: canonical
Canonical: #20
Summary: The older @types/node 26.0.0 Dependabot PR was closed unmerged by Dependabot as superseded by this newer 26.0.1 PR, so this PR is the live candidate for the dependency update.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Have a package owner confirm whether @types/node 26 is the intended development type baseline while Node 22/24 remain supported.

Risk before merge

  • [P1] The semver-major @types/node update can move the compile-time Node API surface ahead of the package's Node 22 and Node 24 runtime contract.
  • [P1] The lockfile refresh also updates dev-only transitive entries such as undici-types, postcss, nanoid, and optional wasm helper snapshots; passing CI is useful but does not replace package-owner acceptance of that dependency surface.

Maintainer options:

  1. Accept Node 26 types baseline
    A package owner can intentionally merge this narrow dependency update if Node 26 ambient declarations are acceptable while Node 22 and Node 24 remain supported runtimes.
  2. Hold the major bump
    Maintainers can close or ignore this @types/node major until the runtime support or type-baseline policy moves forward.

Next step before merge

  • [P2] A package owner needs to decide the Node type-declaration baseline; there is no narrow automation repair for that policy choice.

Security
Cleared: The diff changes only dev dependency metadata and integrity-pinned lockfile entries, with no scripts, workflows, permissions, secrets, or publish settings changed.

Review details

Best possible solution:

Merge the narrow bump only if package owners accept @types/node 26 as the development type baseline; otherwise hold this major until the runtime or type-policy baseline moves forward.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency-maintenance PR rather than a reported bug. The relevant check is package policy and type-baseline compatibility, not reproducing a runtime failure.

Is this the best way to solve the issue?

Yes, with maintainer acceptance: the branch uses the normal package.json plus pnpm-lock.yaml path for a dev dependency update. The unresolved part is whether this semver-major Node types baseline belongs in the package now.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 8ffb44049333.

Label changes

Label changes:

  • add P3: This is a narrow dev-dependency maintenance PR with limited direct runtime blast radius.
  • add merge-risk: 🚨 compatibility: The semver-major Node type declarations can move the compile-time API guard ahead of the package's Node 22/24 runtime contract.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a bot-authored Dependabot dependency PR, so the external-contributor real behavior proof gate does not apply; CI is the relevant validation signal.

Label justifications:

  • P3: This is a narrow dev-dependency maintenance PR with limited direct runtime blast radius.
  • merge-risk: 🚨 compatibility: The semver-major Node type declarations can move the compile-time API guard ahead of the package's Node 22/24 runtime contract.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a bot-authored Dependabot dependency PR, so the external-contributor real behavior proof gate does not apply; CI is the relevant validation signal.
Evidence reviewed

Acceptance criteria:

  • [P1] Review the PR CI matrix for Node 22 and Node 24 across supported OSes.
  • [P1] If merging locally, run pnpm check with pnpm 10.33.2.

What I checked:

  • Repository policy read: AGENTS.md was read fully; its package surface, runtime compatibility, pnpm workflow, and lockfile guidance apply to this dependency review. (AGENTS.md:1, 8ffb44049333)
  • Current main dependency baseline: Current main still declares @types/node as ^25.9.2, so the PR's central dependency bump is not already implemented on main. (package.json:91, 8ffb44049333)
  • Current runtime contract: The package engines still support Node ^22.18.0 and >=24.11.0, which makes a semver-major ambient Node type update compatibility-sensitive. (package.json:110, 8ffb44049333)
  • Node types affect the normal typecheck path: The main TypeScript config includes node in compilerOptions.types, so @types/node controls the Node API surface accepted during normal typecheck. (tsconfig.json:14, 8ffb44049333)
  • PR manifest change: The PR head changes the direct dev dependency to @types/node ^26.0.1 in package.json. (package.json:91, 1c9988c0a150)
  • PR lockfile change: The PR head lockfile resolves @types/node to 26.0.1 and updates Vitest/Vite peer snapshots against that version. (pnpm-lock.yaml:18, 1c9988c0a150)

Likely related people:

  • vincentkoc: Blame and GitHub PR history tie the current dependency block, TypeScript config, CODEOWNERS, and recent package-script hardening to this package surface. (role: package surface introducer and recent area contributor; confidence: high; commits: af898fe0cdd3, c1ca6f199108; files: package.json, pnpm-lock.yaml, tsconfig.json)
  • @openclaw/openclaw-secops: CODEOWNERS assigns package.json, pnpm-lock.yaml, protocol, source, and governance surfaces to this team, which is relevant to package baseline decisions. (role: code owner for package and compatibility surfaces; confidence: high; commits: af898fe0cdd3; files: .github/CODEOWNERS, package.json, pnpm-lock.yaml)
  • dependabot[bot]: Recent merged dependency-maintenance commits touched the same package and lockfile area, so this branch follows the repository's established automated dependency-update path. (role: recent dependency automation; confidence: medium; commits: ed9ce515e4a2, 1793e5398cb7; files: package.json, pnpm-lock.yaml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​types/​node@​26.0.11001008196100

View full report

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jun 29, 2026
@steipete steipete merged commit 2aae4e9 into main Jun 30, 2026
20 checks passed
@steipete steipete deleted the dependabot/npm_and_yarn/types/node-26.0.1 branch June 30, 2026 23:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant