Skip to content

chore(deps): bump the minor-and-patch group across 1 directory with 14 updates#243

Open
dependabot[bot] wants to merge 1 commit into
betafrom
dependabot/bun/beta/minor-and-patch-245e0e5e9c
Open

chore(deps): bump the minor-and-patch group across 1 directory with 14 updates#243
dependabot[bot] wants to merge 1 commit into
betafrom
dependabot/bun/beta/minor-and-patch-245e0e5e9c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Bumps the minor-and-patch group with 14 updates in the / directory:

Package From To
@novnc/novnc 1.6.0 1.7.0
next 16.1.6 16.2.10
playwright 1.58.2 1.61.1
react 19.2.4 19.2.7
@types/react 19.2.14 19.2.17
react-dom 19.2.4 19.2.7
ws 8.19.0 8.21.0
@playwright/test 1.58.2 1.61.1
@tailwindcss/postcss 4.1.18 4.3.2
@types/bun 1.3.11 1.3.14
@vitest/coverage-v8 4.0.18 4.1.10
eslint-config-next 16.1.6 16.2.10
tailwindcss 4.1.18 4.3.2
vitest 4.0.18 4.1.10

Updates @novnc/novnc from 1.6.0 to 1.7.0

Release notes

Sourced from @​novnc/novnc's releases.

noVNC 1.7.0

A new version of noVNC is now available. Lots of changes have been made since the last release, but the highlights are:

Application:

  • Added Croatian translation.
  • Added Hungarian translation.
  • Fixed a styling bug where some buttons in the GUI would almost disappear.
  • The browser will now warn before the session's tab is closed when view only is not enabled.

Library:

  • The NPM bundle has been converted to ES-module format.
  • The novnc_proxy script now uses the bash-builtin type instead of which when checking if websockify is installed.
  • Received image data is now dropped once rendered, resulting in more efficient memory usage.
  • Detection of H.264 has been improved.
  • The deprecated showDotCursor setting has now been removed.

Regards, The noVNC Developers

noVNC 1.7.0 beta

A new beta version of noVNC is now available. Many changes have been made since the last release, but the highlights are:

Application:

  • Added Croatian translation.
  • Added Hungarian translation.
  • Fixed a styling bug where some buttons in the GUI would almost disappear.
  • The browser will now warn before the session's tab is closed when view only is not enabled.

Library:

  • The NPM bundle has been converted to ES-module format.
  • The novnc_proxy script now uses the bash-builtin type instead of which when checking if websockify is installed.
  • Received image data is now dropped once rendered, resulting in more efficient memory usage.
  • Detection of H.264 has been improved.
  • The deprecated showDotCursor setting has now been removed.

Regards, The noVNC Developers

Commits
  • 63107bd noVNC 1.7.0
  • 18cabdf Update generated json files
  • 85ae81a noVNC 1.7.0 beta
  • 7a96227 Remove show_dot from docs/EMBEDDING.md
  • 43266f4 Remove showDotCursor from docs/API.md
  • 4ccc3b4 Use Node version 24 when publishing to npmjs
  • 8f3555b Publish with latest npm version
  • 7808f57 Stop using access tokens when publishing to npmjs
  • 603d63f Allow publishing to npmjs.com with OIDC
  • 5ac7bd2 Update Swedish translation
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​novnc/novnc since your current version.


Updates next from 16.1.6 to 16.2.10

Release notes

Sourced from next's releases.

v16.2.10

Contains no changes except publishing @next/swc-wasm-web which was accidentally not published since 16.2.4.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates playwright from 1.58.2 to 1.61.1

Release notes

Sourced from playwright's releases.

v1.61.1

Bug Fixes

  • #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
  • #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
  • #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
  • #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
  • #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

Browser and Screencast

... (truncated)

Commits
  • 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
  • 4328122 chore: mark v1.61.1 (#41404)
  • 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
  • 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
  • 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
  • b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
  • b5a3175 cherry-pick(#41319): fix(loader): support other node versions
  • d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
  • 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
  • a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
  • Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

Changelog

Sourced from react's changelog.

19.2.7 (June 1, 2026)

React Server Components

19.2.6 (May 6, 2026)

React Server Components

19.2.5 (March 18, 2026)

React Server Components

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.


Updates @types/react from 19.2.14 to 19.2.17

Commits

Updates react-dom from 19.2.4 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

Changelog

Sourced from react-dom's changelog.

19.2.7 (June 1, 2026)

React Server Components

19.2.6 (May 6, 2026)

React Server Components

19.2.5 (March 18, 2026)

React Server Components

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.


Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits
  • bca91ad [dist] 8.21.0
  • 2b2abd4 [security] Limit retained message parts
  • 78eabe2 [security] Add latest vulnerability to SECURITY.md
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • Additional commits viewable in compare view

Updates @playwright/test from 1.58.2 to 1.61.1

Release notes

Sourced from @​playwright/test's releases.

v1.61.1

Bug Fixes

  • #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
  • #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
  • #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
  • #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
  • #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

Browser and Screencast

... (truncated)

Commits
  • 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
  • 4328122 chore: mark v1.61.1 (#41404)
  • 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
  • 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
  • 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
  • b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
  • b5a3175 cherry-pick(#41319): fix(loader): support other node versions
  • d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
  • 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
  • a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
  • Additional commits viewable in compare view

Updates @tailwindcss/postcss from 4.1.18 to 4.3.2

Release notes

Sourced from @​tailwindcss/postcss's releases.

v4.3.2

Fixed

  • Support bare spacing values for auto-rows-* and auto-cols-* utilities (e.g. auto-rows-12 and auto-cols-16) (#20229)
  • Prevent @tailwindcss/cli in --watch mode from crashing on Windows when @source points to a directory that doesn't exist (#20242)
  • Prevent @tailwindcss/vite from crashing in Deno v2.8.x when context.parentURL is not a valid URL (#20245)
  • Ensure @tailwindcss/cli in --watch mode rebuilds when the input CSS file changes in an ignored directory (#20246)
  • Allow @variant rules used in addBase(…) to use custom variants defined later (#20247)
  • Prevent @tailwindcss/vite from crashing during HMR when scanned files or directories are deleted (#20259)
  • Generate font-size instead of color declarations for text-[--spacing(…)] (#20260)
  • Prevent @source patterns from scanning unrelated sibling files and folders (#20263)
  • Extract class candidates adjacent to Template Toolkit delimiters like %]…[% in .tt, .tt2, and .tx files (#20269)
  • Extract class candidates from conditional Maud syntax like p.text-black[condition] (#20269)
  • Prevent @position-try rules from triggering unknown at-rule warnings when optimizing CSS (#20277)
  • Support class suggestions for named opacity modifiers from --opacity theme values (#20287)
  • Prevent type errors in @tailwindcss/postcss when used with newer PostCSS patch releases (#20289)

v4.3.1

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

  • Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)

... (truncated)

Changelog

Sourced from @​tailwindcss/postcss's changelog.

[4.3.2] - 2026-06-26

Fixed

  • Support bare spacing values for auto-rows-* and auto-cols-* utilities (e.g. auto-rows-12 and auto-cols-16) (#20229)
  • Prevent @tailwindcss/cli in --watch mode from crashing on Windows when @source points to a directory that doesn't exist (#20242)
  • Prevent @tailwindcss/vite from crashing in Deno v2.8.x when context.parentURL is not a valid URL (#20245)
  • Ensure @tailwindcss/cli in --watch mode rebuilds when the input CSS file changes in an ignored directory (#20246)
  • Allow @variant rules used in addBase(…) to use custom variants defined later (#20247)
  • Prevent @tailwindcss/vite from crashing during HMR when scanned files or directories are deleted (#20259)
  • Generate font-size instead of color declarations for text-[--spacing(…)] (#20260)
  • Prevent @source patterns from scanning unrelated sibling files and folders (#20263)
  • Extract class candidates adjacent to Template Toolkit delimiters like %]…[% in .tt, .tt2, and .tx files (#20269)
  • Extract class candidates from conditional Maud syntax like p.text-black[condition] (#20269)
  • Prevent @position-try rules from triggering unknown at-rule warnings when optimizing CSS (#20277)
  • Support class suggestions for named opacity modifiers from --opacity theme values (#20287)
  • Prevent type errors in @tailwindcss/postcss when used with newer PostCSS patch releases (#20289)

[4.3.1] - 2026-06-12

Added

  • Add --silent option to suppress output in @tailwindcss/cli (#20100)

Fixed

  • Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#20028)
  • Canonicalization: don't crash when plugin utilities throw for unsupported values (#20052)
  • Allow @apply to be used with CSS mixins (#19427)
  • Ensure not-* correctly negates @container queries, including style(…) queries (#20059)
  • Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#20080)
  • Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#20103)
  • Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#20027)
  • Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)]px-[calc(1rem+0)]) (#20127)
  • Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px]left-[99999px], not left-24999.75) (#20130)
  • Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
  • Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
  • Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
  • Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
  • Allow @variant to be used inside addBase (#19480)
  • Ensure @source globs with symlinks are preserved (#20203)
  • Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
  • Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
  • Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
  • Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
  • Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
  • Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)]w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
  • Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)

Changed

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/postcss since your current version.


Updates @types/bun from 1.3.11 to 1.3.14

Commits

Updates @types/react from 19.2.14 to 19.2.17

Commits

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.10

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.10

   🐞 Bug Fixes

    View changes on GitHub

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

... (truncated)

Description has been truncated

@dependabot dependabot Bot added dependencies Dependency updates (Dependabot) javascript Pull requests that update javascript code labels Jul 4, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner July 4, 2026 18:14
@dependabot dependabot Bot added dependencies Dependency updates (Dependabot) javascript Pull requests that update javascript code labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

CI Summary

❌ E2E Install

KrasimirKralev added a commit that referenced this pull request Jul 5, 2026
… + review) (#248)

* feat(ci): ClawReview — our own advisory PR bot (policy + duplicates + review)

Clawsweeper-inspired PR bot, owned by us, complementing CodeRabbit:

- Structured advisory review on every PR (opened/reopened/synchronize):
  summary, source/test surface split, severity-ranked findings (P1-P3),
  duplicate detection vs open PRs + linked-issue validation, and a hidden
  <!-- clawreview-verdict:... --> marker for tooling
- Deterministic repo-policy checks (no AI needed): beta-first base-branch
  rule (docs/meta paths may target main), package.json<->bun.lock
  consistency, conventional title, tests-expected heuristic,
  security-sensitive-path flagging, size warning
- Auto area-labels from touched paths (same taxonomy as the issue-triage bot)
- Advisory by design: posts + updates ONE comment (upsert by marker, no spam
  on every push); never closes PRs; never fails the pipeline (exit 0 on any
  error); skips bot-authored PRs
- Security: pull_request_target with the base-repo checkout ONLY — PR code
  is never checked out or executed; the diff is reviewed as data via the API
  (capped at 80k chars); PR title/body/diff are declared untrusted in the
  system prompt
- Same hardening as the triage bot: SHA-pinned actions, job-scoped
  permissions, --prefix scripts SDK install, graceful no-op without
  ANTHROPIC_API_KEY (same pending secret)

Dry-run validated against real PRs: #243 (bot-skip fires), #238 (meta->main
passes base policy), #227 (device->beta passes; sensitive-path + tests
checks fire).

* feat(ci): ClawReview review fixes — empirically tuned policy, hardened plumbing

Four-angle /simplify review applied. The big one: replaying the policy
checks against the 40 most recently merged PRs showed 55% would have warned
(the routine release PR collected 5 warnings at once) — warnings tuned to
be rare enough to mean something:

- Release promotions (head beta -> base main) are the sanctioned path to
  main: exempted from feature-PR conventions (was 3/4 of base-check warns)
- Lockfile check is diff-aware: only warns when package.json DEPENDENCY
  sections change — version-only bumps never break --frozen-lockfile
  (6/6 historical warns on the naive check were false)
- 'release' added to the conventional-title types (the repo's own release
  convention was failing its own check)
- Tests-expected check gated to >=10 changed src lines (string-swap PRs
  were the main noise)
- SENSITIVE_RE: config/ narrowed to root-privilege files (was flagging
  every openclaw-target.txt version bump); added real misses (login-api
  route, rate limiters, oauth utils, credentials route, root-update-step.sh,
  launch-browser.sh, recover.sh); rendered as an ℹ️ note, not ⚠️, so
  warnings keep meaning

Plumbing (config + simplification reviews):
- upsertComment author-checked (a user comment starting with our marker
  can't be PATCH-overwritten) and single-page (bot comments early)
- --paginate + per-page '-q [...]' arrays would crash JSON.parse on
  >100-item PRs (we've had a 1,028-file PR) — files now fetched as JSONL
- drafts skipped (reviewed at ready_for_review; type added)
- bot-skip moved before the expensive gathering; dead 'dependabot' arm
  dropped; dead fetched fields trimmed; labels applied in one batched
  pr edit; duplicate render gated on likely && of
- reciprocal keep-in-sync comments at the two cross-bot drift points
  (area taxonomy, SDK version pin)

Re-validated by dry-run: #217 release promotion 5 warns -> 0 (1 pass +
1 info), #238 meta->main all-pass, #227 device->beta all-pass.

* feat(ci): give ClawReview its crab voice 🦀

Playful frame, rigorous content: greeting, verdict badge, clean-bill line,
and sign-off carry the persona (Shipshape — claws up / Needs a molt /
Walking sideways / This shell looks occupied); policy checks and findings
stay strictly factual so a P1 never drowns in puns. Lines are picked
deterministically by PR number, keeping the upserted comment's voice stable
across pushes. The model's summary gets at most one marine flourish by
prompt; finding titles/details are instructed pun-free.

* feat(ci): optional ClawReview GitHub App identity (clawreview[bot] + crab avatar)

Both bots (pr-review + issue-triage) mint an installation token via
actions/create-github-app-token when the CLAWREVIEW_APP_ID +
CLAWREVIEW_APP_PRIVATE_KEY secrets exist — comments and labels then post as
clawreview[bot] with the App's avatar (and get the App's own rate limits).
Without the secrets the step skips and everything falls back to
github-actions[bot]; the bots work either way. Comment-upsert author check
accepts both identities so the switch-over edits the same comment.

* feat(ci): OAuth subscription transport + CodeRabbit fixes

Both bots now prefer the Claude Code CLI (claude -p, authed by
CLAUDE_CODE_OAUTH_TOKEN) — the official Pro/Max subscription path, same
runtime as claude-code-action and the team's crons — falling back to the
Anthropic SDK when only ANTHROPIC_API_KEY is set, and no-op without either.

- review()/main() split into reviewViaClaudeCli + reviewViaSdk (pr-review)
  and classifyViaClaudeCli + classifyViaSdk (issue-triage); selected by
  CLAUDE_CODE_OAUTH_TOKEN presence at runtime
- parseModelJson tolerates fenced/wrapped CLI output (json wrapper ->
  .result -> object); the SDK path keeps schema-enforced output
- workflows install the backend the available secret needs (CLI when OAuth,
  SDK otherwise), both pinned; token passed to the run step
- REVIEW_ONLY env prints the composed comment without posting, for local
  end-to-end testing of either transport

CodeRabbit (#248):
- top-level permissions: {} so the default token grant is empty (only the
  job's explicit scopes apply)
- bun.lock check: dependency-entry match now requires a version-spec-shaped
  value (^/~/digit/npm:/workspace:/git/url), so edits to scripts/name/etc.
  no longer misfire the 'dependencies changed' warning

Validated end-to-end via the OAuth CLI transport against PR #227: correct
verdict, crab voice, and a genuine P3 finding in gateway-pre-start.sh.
…4 updates

Bumps the minor-and-patch group with 14 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@novnc/novnc](https://github.com/novnc/noVNC) | `1.6.0` | `1.7.0` |
| [next](https://github.com/vercel/next.js) | `16.1.6` | `16.2.10` |
| [playwright](https://github.com/microsoft/playwright) | `1.58.2` | `1.61.1` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.7` |
| [ws](https://github.com/websockets/ws) | `8.19.0` | `8.21.0` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.58.2` | `1.61.1` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.1.18` | `4.3.2` |
| [@types/bun](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/bun) | `1.3.11` | `1.3.14` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.10` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.1.6` | `16.2.10` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.1.18` | `4.3.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.10` |



Updates `@novnc/novnc` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/novnc/noVNC/releases)
- [Commits](novnc/noVNC@v1.6.0...v1.7.0)

Updates `next` from 16.1.6 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](vercel/next.js@v16.1.6...v16.2.10)

Updates `playwright` from 1.58.2 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.58.2...v1.61.1)

Updates `react` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `ws` from 8.19.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.0)

Updates `@playwright/test` from 1.58.2 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.58.2...v1.61.1)

Updates `@tailwindcss/postcss` from 4.1.18 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss)

Updates `@types/bun` from 1.3.11 to 1.3.14
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/bun)

Updates `@types/react` from 19.2.14 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.10
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/coverage-v8)

Updates `eslint-config-next` from 16.1.6 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/eslint-config-next)

Updates `tailwindcss` from 4.1.18 to 4.3.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.10
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/vitest)

---
updated-dependencies:
- dependency-name: "@novnc/novnc"
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/bun"
  dependency-version: 1.3.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: eslint-config-next
  dependency-version: 16.2.10
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: next
  dependency-version: 16.2.10
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: playwright
  dependency-version: 1.61.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the minor-and-patch group with 14 updates chore(deps): bump the minor-and-patch group across 1 directory with 14 updates Jul 11, 2026
@dependabot
dependabot Bot force-pushed the dependabot/bun/beta/minor-and-patch-245e0e5e9c branch from cd8c07e to bc01f62 Compare July 11, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates (Dependabot) javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants