Skip to content

chore(deps-dev): bump the development group across 1 directory with 4 updates#25

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-5edf004f83
Closed

chore(deps-dev): bump the development group across 1 directory with 4 updates#25
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/development-5edf004f83

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the development group with 4 updates in the / directory: @types/node, oxfmt, oxlint and oxlint-tsgolint.

Updates @types/node from 26.0.1 to 26.1.0

Commits

Updates oxfmt from 0.56.0 to 0.57.0

Commits

Updates oxlint from 1.71.0 to 1.72.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.72.0] - 2026-06-29

🚀 Features

  • 1c8f50c linter: Add schema for eslint/no-restricted-import (#23642) (Sysix)

🐛 Bug Fixes

  • 742be36 refactor/node/handle-callback-err: Reject invalid regex config (#23740) (camc314)
Commits

Updates oxlint-tsgolint from 0.23.0 to 0.24.0

Release notes

Sourced from oxlint-tsgolint's releases.

v0.24.0

What's Changed

... (truncated)

Commits
  • 5a37e89 fix(dot-notation): determine the relevant accessor (#1028)
  • 67a281f perf(consistent-return): defer per-function type resolution (#1031)
  • a5e2ff0 perf(no-unnecessary-qualifier): skip symbol resolution outside namespaces. (#...
  • a8fc668 perf(no-confusing-void-expression): check ancestor position before type query...
  • 03158cc perf(no-unnecessary-type-conversion): hoist constant builtin-name slices (#1040)
  • d9e645c perf(prefer-optional-chain): lazily allocate chain-processor caches (#1041)
  • 63f578a refactor(no-unnecessary-condition): remove dead containsUnguardedElementAcces...
  • f174876 chore(deps): update gomod (#1035)
  • 47de9cf chore(deps): update github actions (#1036)
  • e209b5b chore(deps): update actions/cache action to v6 (#1037)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the development group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt), [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) and [oxlint-tsgolint](https://github.com/oxc-project/tsgolint).


Updates `@types/node` from 26.0.1 to 26.1.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `oxfmt` from 0.56.0 to 0.57.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.57.0/npm/oxfmt)

Updates `oxlint` from 1.71.0 to 1.72.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.72.0/npm/oxlint)

Updates `oxlint-tsgolint` from 0.23.0 to 0.24.0
- [Release notes](https://github.com/oxc-project/tsgolint/releases)
- [Commits](oxc-project/tsgolint@v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: oxfmt
  dependency-version: 0.57.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: oxlint
  dependency-version: 1.72.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
- dependency-name: oxlint-tsgolint
  dependency-version: 0.24.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
@clawsweeper

clawsweeper Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 7, 2026, 1:21 PM ET / 17:21 UTC.

Summary
The branch updates package.json and pnpm-lock.yaml for @types/node 26.1.0, oxfmt 0.57.0, oxlint 1.72.0, and oxlint-tsgolint 0.24.0.

Reproducibility: not applicable. this is dependency maintenance rather than a bug report. Verification is package/lockfile review plus the PR's CI matrix.

Review metrics: 2 noteworthy metrics.

  • Files changed: 2 modified, 0 added, 0 removed. The diff is limited to package.json and pnpm-lock.yaml, so review can focus on dependency metadata and lockfile consistency.
  • Direct dev updates: 4 development dependency resolutions updated. The updated packages back Node typings, formatting, and lint tooling, making CI and package-owner review the relevant validation gates.

Root-cause cluster
Relationship: canonical
Canonical: #25
Summary: This PR is the active Dependabot update for the development tooling group and supersedes the earlier closed three-dependency branch.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • [P2] No repair lane is needed because there is no actionable patch defect; the remaining action is ordinary package-owner review.

Security
Cleared: No concrete security or supply-chain concern was found; the diff only updates direct dev dependency specs and pnpm integrity metadata, with no scripts, workflows, permissions, secrets, or publishing changes.

Review details

Best possible solution:

Land the narrow Dependabot bump after package-owner review, keeping package.json and pnpm-lock.yaml synchronized.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is dependency maintenance rather than a bug report. Verification is package/lockfile review plus the PR's CI matrix.

Is this the best way to solve the issue?

Yes; the narrow package.json and pnpm-lock.yaml update matches the configured Dependabot development group and avoids touching runtime code.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 95630872f37a.

Label changes

Label justifications:

  • P3: This is low-risk development dependency maintenance with limited runtime blast radius and green validation.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot dependency PRs do not need contributor real-behavior proof; CI/status checks are the relevant validation signal here.
Evidence reviewed

What I checked:

  • AGENTS.md read and applied: Repository policy calls out pnpm, repository scripts, focused changes, and careful package/lockfile handling; that guided the dependency-only review. (AGENTS.md:39, 95630872f37a)
  • Current main still has older specs: Main still lists oxfmt ^0.56.0 and oxlint-tsgolint ^0.23.0, so the central bump is not implemented on main. (package.json:94, 95630872f37a)
  • PR head updates direct dev specs: The PR head changes oxfmt to ^0.57.0 and oxlint-tsgolint to ^0.24.0 while leaving runtime dependencies and scripts unchanged. (package.json:94, 6b41391cb83f)
  • PR head lockfile resolves intended versions: The lockfile resolves @types/node 26.1.0, oxfmt 0.57.0, oxlint 1.72.0 with oxlint-tsgolint 0.24.0, and oxlint-tsgolint 0.24.0. (pnpm-lock.yaml:18, 6b41391cb83f)
  • Dependabot grouping matches config: The repository has a daily npm development dependency group for minor and patch updates, matching this grouped Dependabot PR. (.github/dependabot.yml:16, 95630872f37a)
  • CI is green on the PR head: GitHub reports the PR as mergeable with successful Node 22/24 checks across Ubuntu, macOS, and Windows, CodeQL, workflow lint, and browser smoke checks. (6b41391cb83f)

Likely related people:

  • Vincent Koc: Blame and git show indicate this author introduced package.json, pnpm-lock.yaml, Dependabot grouping, CODEOWNERS protection, and later release-validation package script work. (role: introduced package and dependency automation setup; confidence: high; commits: af898fe0cdd3, c1ca6f199108; files: package.json, pnpm-lock.yaml, .github/dependabot.yml)
  • dependabot[bot]: Recent current-main commits updated adjacent development dependency entries, including @types/node, @typescript/native-preview, and the development tooling group. (role: recent automated dependency updater; confidence: medium; commits: 95630872f37a, 2aae4e95db60, 1dcef4535cb1; files: package.json, pnpm-lock.yaml)
  • openclaw/openclaw-secops: CODEOWNERS assigns package.json and pnpm-lock.yaml to this team, making it the natural review route for package and lockfile changes. (role: package surface code owner; confidence: medium; commits: af898fe0cdd3; files: .github/CODEOWNERS, package.json, pnpm-lock.yaml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (5 earlier review cycles)
  • reviewed 2026-07-03T17:18:00.301Z sha 6b41391 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-06T16:01:11.124Z sha 6b41391 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-06T17:17:53.448Z sha 6b41391 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-06T17:23:10.279Z sha 6b41391 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-07T17:17:15.715Z sha 6b41391 :: needs maintainer review before merge. :: none

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 8, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/development-5edf004f83 branch July 8, 2026 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants