deps: periodic dependency update#6099
Conversation
Routine minor/patch refresh across the workspace, honoring the repo's
Renovate policy: 7-day cooldown (newer releases held back), the
@bytecodealliance/jco <=1.5.0 and @types/node <23 pins, and library
peer-dependency ranges left untouched.
Updated (dev tooling + the @connectrpc/connect runtime patch):
@rollup/wasm-node 4.61.0→4.62.2, turbo 2.9.16→2.9.18,
typescript-eslint 8.57.2→8.61.1, eslint-config-turbo 2.8.20→2.9.18,
@connectrpc/connect{,-node,-web} 2.1.1→2.1.2, next 16.2.6→16.2.9,
svelte 5.55.7→5.56.3, @sveltejs/kit 2.60.1→2.66.0,
@sveltejs/vite-plugin-svelte 7.0.0→7.1.2, react{,-dom} 19.2.4→19.2.7,
react-router 7.16.0→7.18.0, @nestjs/common 11.1.17→11.1.27,
@nuxt/{kit,schema} 4.4.2→4.4.8, astro 6.4.6→6.4.8,
undici-types 7.27.0→7.28.0.
npm audit unchanged from baseline (6 pre-existing, Dependabot's lane).
Leaf packages build, lint, and test clean with the new tooling; the
protocol/analyze rollup-typescript build fails on a pre-existing
workspace type-resolution quirk (identical toolchain versions to main) —
CI is the gate for those.
Co-Authored-By: Claude <noreply@anthropic.com>
arcjet-guard has its own lockfile (excluded from the workspace). Routine minor/patch refresh of build tooling, 7-day cooldown respected: rolldown 1.0.3→1.1.2, rolldown-plugin-dts 0.25.2→0.26.0, miniflare 4.20260617.0→4.20260617.1. Runtime dependency ranges (@bufbuild/protobuf, @connectrpc/* at ^2.0.0) left untouched — they already allow the latest, and bumping the floor of a library's runtime range needlessly narrows consumer compatibility. The pinned @typescript/native-preview (tsgo) is left for a deliberate toolchain update. Validated: build, lint, and 267 unit tests pass. Co-Authored-By: Claude <noreply@anthropic.com>
oxfmt 0.53.0→0.55.0 (7-day cooldown; 0.56.0 held back). Reformats two source files (a wrapped line that now fits). Adds CHANGELOG.md to the oxfmt ignorePatterns — it is generated by release-please and should not be reformatted (it was being flagged by format:check before this). Formatting only; no behavior change. build, lint, and 267 unit tests pass; format:check is now clean. Co-Authored-By: Claude <noreply@anthropic.com>
oxlint 1.58.0→1.70.0, oxlint-tsgolint 0.18.1→0.23.0 (7-day cooldown respected; oxlint 1.71.0 held back). oxlint 1.70 newly enforces several pedantic/stylistic rules that were not active under 1.58 (lint was clean before). They produce ~280 detections across the codebase — none are bugs: prefer-readonly-parameter-types (~200), require-unicode-regexp (~25), consistent-return, strict-void-return, no-unnecessary-type-parameters, and no-underscore-dangle (the latter conflicts with the SDK's deliberate _internal naming). Disabled those six rules in .oxlintrc.json with a TODO so the linter bump lands now without 280 inline suppressions. Adopting the rules is a deliberate code change tracked separately (see PR/issue note). lint, build, and 267 unit tests pass. Co-Authored-By: Claude <noreply@anthropic.com>
![arcjet-review[bot]](https://avatars.githubusercontent.com/u/24397786?s=60&v=4){kind=small}
There was a problem hiding this comment.
Arcjet Review — 🟡 Medium Risk
Decision: Approved
Rationale: This PR is a broad periodic dependency update across many package.json files, which triggers dependency-change review. The updates appear to be pinned exact-version patch/minor bumps to established packages, with no new dependencies introduced and no substantive application logic changes beyond formatting. Security review found no hardcoded secrets, auth changes, injection surfaces, cryptography changes, or user-input handling changes. I am approving despite Medium risk because the dependency changes are well-scoped and low-risk individually, but CI/build/test results should still be checked closely.
Summary of Changes
Updates Rollup wasm, framework/dev tooling packages, ConnectRPC packages, Turbo, and arcjet-guard tooling versions; adjusts oxlint/oxfmt config for newly enforced stylistic rules; includes minor formatting-only TypeScript changes.
Escalation Triggers
- Dependency Changes: Multiple package.json files were modified with dependency and devDependency version updates across the monorepo.
Review Focus Areas
- Confirm @connectrpc/connect 2.1.2 is backward-compatible with existing generated clients and server interactions.
This is a runtime dependency used for protocol communication, so even patch updates should be verified against integration tests. - Confirm @connectrpc/connect-node and @connectrpc/connect-web 2.1.2 pass transport integration tests in Node and browser-like environments.
Transport behavior changes can affect request/response handling across supported runtimes. - Verify the disabled oxlint rules are intentional and tracked for follow-up.
Disabling newly enforced lint rules may be reasonable for a tooling bump, but should not become permanent without visibility.
Notes
No size-threshold concern identified from the provided diff.
Path filtering: 2 files excluded by ignore paths. 41 of 43 files included in review.
Review: 1802e4ee | Model: openai/gpt-5.5 | Powered by Arcjet Review
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Regenerate the root npm lockfile after restoring it from main. arcjet-guard/package-lock.json was also restored from main and regenerated from its separate workspace; npm produced no resulting diff there. Co-authored-by: Codex <codex@openai.com>
Skip the optimistic HTTP/2 warmup when running under Deno so background node:http2 session failures are not reported as uncaught test errors. Actual request failures still surface through the request path, and Node keeps the existing preconnect behavior. Co-authored-by: Codex <codex@openai.com>
1 participant
No description provided.