chore(deps-dev): bump @types/node from 20.19.37 to 26.1.1#57
chore(deps-dev): bump @types/node from 20.19.37 to 26.1.1#57dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.19.37 to 26.1.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 26.1.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
evaOS review status: completedPR: #57 - chore(deps-dev): bump @types/node from 20.19.37 to 26.1.1 evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #57 Review URL: #57 (review) |
There was a problem hiding this comment.
Walkthrough
PR: #57 - chore(deps-dev): bump @types/node from 20.19.37 to 26.1.1
Head: 6f52082b4ca15166d84eb67ea487c39f5c54a416 into main. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 1/5 (~14 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
package-lock.json |
modified | +8/-8 | Configuration | Moderate: validated P3 finding |
package.json |
modified | +1/-1 | Configuration | Moderate: validated P2 finding |
Review Signal
Validated inline findings: 2 (P0: 0, P1: 0, P2: 1, P3: 1).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- CI/build: 1
- Dependency: 1
Validation and Proof
2 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
- required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
Proof status: missing - 2 required validation/proof recommendation(s) missing from PR metadata.
Profile validation hints: Call out tool permission widening, prompt injection, and stale context risks.
Profile proof expectations: Look for focused plugin contract or tool-call evidence.
Related Context
Related issues/PRs: none detected from PR metadata.
Suggested labels: none.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions: none
- Label suggestions: plugin, agent-safety, backend
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
| }, | ||
| "devDependencies": { | ||
| "@types/node": "^20.0.0", | ||
| "@types/node": "^26.1.1", |
There was a problem hiding this comment.
P2: @types/node v26 skews ahead of CI/runtime Node 20
This PR bumps @types/node from 20.19.37 to 26.1.1, but CI (.github/workflows/ci.yml) pins node-version: "20" and package.json declares no engines field. @types/node@26 pulls in undici-types@~8.3.0 (up from ~6.21.0), whose re-exported global fetch/Response/Request/Headers/FormData type signatures can differ. The repo relies heavily on global fetch() (src/index.ts:467,493,511,530,803,1235) and Buffer.from/process.env — all stable across versions, so this PR alone won't break the build. But going forward the types now permit Node 22–26-only APIs that don't exist on the Node 20 host, enabling code that typechecks green yet throws at runtime. Recommend either (a) pinning @types/node to ~20.x to match the declared runtime, or (b) bumping CI node-version to 26 and adding an engines field. Note the caret range ^26.1.1 will also accept future 26.x minors, widening the skew surface over time.
Category: Dependency
Why this matters: Type-definition/runtime skew is a latent footgun: a future contributor can call a Node 24+ API, pass tsc, and ship a plugin that crashes in the customer VMs running Node 20. The fleet ships this plugin into customer agents, so a runtime TypeError from a missing API is a release regression, not just a local annoyance.
| "version": "20.19.37", | ||
| "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.37.tgz", | ||
| "integrity": "sha512-8kzdPJ3FsNsVIurqBs7oodNnCEVbni9yUEkaHbgptDACOPW04jimGagZ51E6+lXUwJjgnBw+hyko/lkFWCldqw==", | ||
| "version": "26.1.1", |
There was a problem hiding this comment.
P3: undici-types major bump 6→8 bundled transitively
The @types/node bump transitively moves undici-types from 6.21.0 to 8.3.0 (a two-major-version jump). undici-types provides the ambient typings for the global fetch family used throughout src/index.ts. With skipLibCheck:true and no source changes in this PR, the typecheck will likely still pass, but the major jump is exactly the kind of change where response-body typing (e.g. res.json()/res.text() return narrowing) or FormData/Headers constructor signatures can shift. The proof gap is that no CI step in this PR demonstrates the typecheck still passes against the new ambient types — the reviewer should confirm the tsc --noEmit job is green before merge.
Category: CI/build
Why this matters: A silent narrowing change in fetch typings could turn currently-passing strict-mode code into a type error on the next source edit, or let through a body-parsing assumption that breaks at runtime against the Node 20 undici version actually shipped.
Bumps @types/node from 20.19.37 to 26.1.1.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)