chore(deps): bump the minor-and-patch group across 1 directory with 14 updates#243
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump the minor-and-patch group across 1 directory with 14 updates#243dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
CI Summary❌ E2E Install
|
KrasimirKralev
added a commit
that referenced
this pull request
Jul 5, 2026
… + review) (#248) * feat(ci): ClawReview — our own advisory PR bot (policy + duplicates + review) Clawsweeper-inspired PR bot, owned by us, complementing CodeRabbit: - Structured advisory review on every PR (opened/reopened/synchronize): summary, source/test surface split, severity-ranked findings (P1-P3), duplicate detection vs open PRs + linked-issue validation, and a hidden <!-- clawreview-verdict:... --> marker for tooling - Deterministic repo-policy checks (no AI needed): beta-first base-branch rule (docs/meta paths may target main), package.json<->bun.lock consistency, conventional title, tests-expected heuristic, security-sensitive-path flagging, size warning - Auto area-labels from touched paths (same taxonomy as the issue-triage bot) - Advisory by design: posts + updates ONE comment (upsert by marker, no spam on every push); never closes PRs; never fails the pipeline (exit 0 on any error); skips bot-authored PRs - Security: pull_request_target with the base-repo checkout ONLY — PR code is never checked out or executed; the diff is reviewed as data via the API (capped at 80k chars); PR title/body/diff are declared untrusted in the system prompt - Same hardening as the triage bot: SHA-pinned actions, job-scoped permissions, --prefix scripts SDK install, graceful no-op without ANTHROPIC_API_KEY (same pending secret) Dry-run validated against real PRs: #243 (bot-skip fires), #238 (meta->main passes base policy), #227 (device->beta passes; sensitive-path + tests checks fire). * feat(ci): ClawReview review fixes — empirically tuned policy, hardened plumbing Four-angle /simplify review applied. The big one: replaying the policy checks against the 40 most recently merged PRs showed 55% would have warned (the routine release PR collected 5 warnings at once) — warnings tuned to be rare enough to mean something: - Release promotions (head beta -> base main) are the sanctioned path to main: exempted from feature-PR conventions (was 3/4 of base-check warns) - Lockfile check is diff-aware: only warns when package.json DEPENDENCY sections change — version-only bumps never break --frozen-lockfile (6/6 historical warns on the naive check were false) - 'release' added to the conventional-title types (the repo's own release convention was failing its own check) - Tests-expected check gated to >=10 changed src lines (string-swap PRs were the main noise) - SENSITIVE_RE: config/ narrowed to root-privilege files (was flagging every openclaw-target.txt version bump); added real misses (login-api route, rate limiters, oauth utils, credentials route, root-update-step.sh, launch-browser.sh, recover.sh); rendered as an ℹ️ note, not⚠️ , so warnings keep meaning Plumbing (config + simplification reviews): - upsertComment author-checked (a user comment starting with our marker can't be PATCH-overwritten) and single-page (bot comments early) - --paginate + per-page '-q [...]' arrays would crash JSON.parse on >100-item PRs (we've had a 1,028-file PR) — files now fetched as JSONL - drafts skipped (reviewed at ready_for_review; type added) - bot-skip moved before the expensive gathering; dead 'dependabot' arm dropped; dead fetched fields trimmed; labels applied in one batched pr edit; duplicate render gated on likely && of - reciprocal keep-in-sync comments at the two cross-bot drift points (area taxonomy, SDK version pin) Re-validated by dry-run: #217 release promotion 5 warns -> 0 (1 pass + 1 info), #238 meta->main all-pass, #227 device->beta all-pass. * feat(ci): give ClawReview its crab voice 🦀 Playful frame, rigorous content: greeting, verdict badge, clean-bill line, and sign-off carry the persona (Shipshape — claws up / Needs a molt / Walking sideways / This shell looks occupied); policy checks and findings stay strictly factual so a P1 never drowns in puns. Lines are picked deterministically by PR number, keeping the upserted comment's voice stable across pushes. The model's summary gets at most one marine flourish by prompt; finding titles/details are instructed pun-free. * feat(ci): optional ClawReview GitHub App identity (clawreview[bot] + crab avatar) Both bots (pr-review + issue-triage) mint an installation token via actions/create-github-app-token when the CLAWREVIEW_APP_ID + CLAWREVIEW_APP_PRIVATE_KEY secrets exist — comments and labels then post as clawreview[bot] with the App's avatar (and get the App's own rate limits). Without the secrets the step skips and everything falls back to github-actions[bot]; the bots work either way. Comment-upsert author check accepts both identities so the switch-over edits the same comment. * feat(ci): OAuth subscription transport + CodeRabbit fixes Both bots now prefer the Claude Code CLI (claude -p, authed by CLAUDE_CODE_OAUTH_TOKEN) — the official Pro/Max subscription path, same runtime as claude-code-action and the team's crons — falling back to the Anthropic SDK when only ANTHROPIC_API_KEY is set, and no-op without either. - review()/main() split into reviewViaClaudeCli + reviewViaSdk (pr-review) and classifyViaClaudeCli + classifyViaSdk (issue-triage); selected by CLAUDE_CODE_OAUTH_TOKEN presence at runtime - parseModelJson tolerates fenced/wrapped CLI output (json wrapper -> .result -> object); the SDK path keeps schema-enforced output - workflows install the backend the available secret needs (CLI when OAuth, SDK otherwise), both pinned; token passed to the run step - REVIEW_ONLY env prints the composed comment without posting, for local end-to-end testing of either transport CodeRabbit (#248): - top-level permissions: {} so the default token grant is empty (only the job's explicit scopes apply) - bun.lock check: dependency-entry match now requires a version-spec-shaped value (^/~/digit/npm:/workspace:/git/url), so edits to scripts/name/etc. no longer misfire the 'dependencies changed' warning Validated end-to-end via the OAuth CLI transport against PR #227: correct verdict, crab voice, and a genuine P3 finding in gateway-pre-start.sh.
…4 updates Bumps the minor-and-patch group with 14 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@novnc/novnc](https://github.com/novnc/noVNC) | `1.6.0` | `1.7.0` | | [next](https://github.com/vercel/next.js) | `16.1.6` | `16.2.10` | | [playwright](https://github.com/microsoft/playwright) | `1.58.2` | `1.61.1` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.7` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.7` | | [ws](https://github.com/websockets/ws) | `8.19.0` | `8.21.0` | | [@playwright/test](https://github.com/microsoft/playwright) | `1.58.2` | `1.61.1` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.1.18` | `4.3.2` | | [@types/bun](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/bun) | `1.3.11` | `1.3.14` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.10` | | [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.1.6` | `16.2.10` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.1.18` | `4.3.2` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.10` | Updates `@novnc/novnc` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/novnc/noVNC/releases) - [Commits](novnc/noVNC@v1.6.0...v1.7.0) Updates `next` from 16.1.6 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v16.1.6...v16.2.10) Updates `playwright` from 1.58.2 to 1.61.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.58.2...v1.61.1) Updates `react` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `ws` from 8.19.0 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.19.0...8.21.0) Updates `@playwright/test` from 1.58.2 to 1.61.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.58.2...v1.61.1) Updates `@tailwindcss/postcss` from 4.1.18 to 4.3.2 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss) Updates `@types/bun` from 1.3.11 to 1.3.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/bun) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.10 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/coverage-v8) Updates `eslint-config-next` from 16.1.6 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/eslint-config-next) Updates `tailwindcss` from 4.1.18 to 4.3.2 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss) Updates `vitest` from 4.0.18 to 4.1.10 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/vitest) --- updated-dependencies: - dependency-name: "@novnc/novnc" dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@playwright/test" dependency-version: 1.61.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@types/bun" dependency-version: 1.3.14 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: eslint-config-next dependency-version: 16.2.10 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: next dependency-version: 16.2.10 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: playwright dependency-version: 1.61.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: tailwindcss dependency-version: 4.3.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: ws dependency-version: 8.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/bun/beta/minor-and-patch-245e0e5e9c
branch
from
July 11, 2026 11:44
cd8c07e to
bc01f62
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the minor-and-patch group with 14 updates in the / directory:
1.6.01.7.016.1.616.2.101.58.21.61.119.2.419.2.719.2.1419.2.1719.2.419.2.78.19.08.21.01.58.21.61.14.1.184.3.21.3.111.3.144.0.184.1.1016.1.616.2.104.1.184.3.24.0.184.1.10Updates
@novnc/novncfrom 1.6.0 to 1.7.0Release notes
Sourced from @novnc/novnc's releases.
Commits
63107bdnoVNC 1.7.018cabdfUpdate generated json files85ae81anoVNC 1.7.0 beta7a96227Remove show_dot from docs/EMBEDDING.md43266f4Remove showDotCursor from docs/API.md4ccc3b4Use Node version 24 when publishing to npmjs8f3555bPublish with latest npm version7808f57Stop using access tokens when publishing to npmjs603d63fAllow publishing to npmjs.com with OIDC5ac7bd2Update Swedish translationMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@novnc/novncsince your current version.Updates
nextfrom 16.1.6 to 16.2.10Release notes
Sourced from next's releases.
... (truncated)
Commits
9dadfd6v16.2.10534d9c1[16.2.x] Release pipeline updates (#95160)98941fcbackport: docs fixes 16.2.x (#94935)6e1a94d[16.2.x][ci]: fix release script to not strip newlines (#94640)f37fad9v16.2.9d9aaaed[cd] Allow tagging semver-lower releases as@latestif@latestpo… (#94627)6f16804v16.2.80dbc1d5[16.2.x][cd] Ensure release can be triggered on old branches (#94598)90e3c81[16.2.x] Align Actions dependencies with Canary (#94339)83f402c[16.2.x][cd] Stop fetching all tags when searching parent tag (#94334)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.
Updates
playwrightfrom 1.58.2 to 1.61.1Release notes
Sourced from playwright's releases.
... (truncated)
Commits
39e3553cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...4328122chore: mark v1.61.1 (#41404)2c29a94fix(tracing): stop recording websocket frames outside of chunks (#41398)4324b19cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend041e7e3cherry-pick(#41364): fix(har):WebSocketmessage timestamps should be in mi...b8a0fc3cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...b5a3175cherry-pick(#41319): fix(loader): support other node versionsd4724a9cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image1cc5a90cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...a6772bdcherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...Updates
reactfrom 19.2.4 to 19.2.7Release notes
Sourced from react's releases.
Changelog
Sourced from react's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.623f4f9f19.2.5Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.
Updates
@types/reactfrom 19.2.14 to 19.2.17Commits
Updates
react-domfrom 19.2.4 to 19.2.7Release notes
Sourced from react-dom's releases.
Changelog
Sourced from react-dom's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.623f4f9f19.2.5Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.
Updates
wsfrom 8.19.0 to 8.21.0Release notes
Sourced from ws's releases.
... (truncated)
Commits
bca91ad[dist] 8.21.02b2abd4[security] Limit retained message parts78eabe2[security] Add latest vulnerability to SECURITY.md5d9b316[dist] 8.20.1c0327ec[security] Fix uninitialized memory disclosure inwebsocket.close()ce2a3d6[ci] Test on node 2658e45b8[ci] Do not test on node 255f26c24[ci] Run the lint step on node 248439255[dist] 8.20.0d3503c1[minor] Export thePerMessageDeflateclass and header utilsUpdates
@playwright/testfrom 1.58.2 to 1.61.1Release notes
Sourced from @playwright/test's releases.
... (truncated)
Commits
39e3553cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...4328122chore: mark v1.61.1 (#41404)2c29a94fix(tracing): stop recording websocket frames outside of chunks (#41398)4324b19cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend041e7e3cherry-pick(#41364): fix(har):WebSocketmessage timestamps should be in mi...b8a0fc3cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...b5a3175cherry-pick(#41319): fix(loader): support other node versionsd4724a9cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image1cc5a90cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...a6772bdcherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...Updates
@tailwindcss/postcssfrom 4.1.18 to 4.3.2Release notes
Sourced from @tailwindcss/postcss's releases.
... (truncated)
Changelog
Sourced from @tailwindcss/postcss's changelog.
... (truncated)
Commits
056a1554.3.2 (#20281)8a14a714.3.1 (#20226)522288cServe ESM type declarations to ESM importers of@tailwindcss/postcss(#20228)8dcdb66Bump dependencies (#20095)588bd734.3.0 (#20023)12eb5aeCleanup noisy test output (#20015)4255671Improve snapshot tests (#20013)52f94c7Improve codebase quality (#19999)d194d4cdocs: fix various typos in comments and documentation (#19878)bfb5732Fall back to the pluginbasewhen PostCSS has nofromoption (#19980)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@tailwindcss/postcsssince your current version.Updates
@types/bunfrom 1.3.11 to 1.3.14Commits
Updates
@types/reactfrom 19.2.14 to 19.2.17Commits
Updates
@vitest/coverage-v8from 4.0.18 to 4.1.10Release notes
Sourced from @vitest/coverage-v8's releases.
... (truncated)
Description has been truncated