feat!: upgrade WordPress packages to latest#233
Conversation
Bumps all @wordpress/* packages to latest within eslint 8 compatibility: - @wordpress/components 30 → 33 (major) - @wordpress/icons 11 → 13 (major) - @wordpress/base-styles 6 → 7 (major) - @wordpress/scripts 30 → 31 (major; capped — v32 requires eslint 10) - All other @wordpress/* packages bumped to latest minor Also includes safe minor/patch updates for misc dependencies (@commitlint/cli, @testing-library/*, @types/*, autoprefixer, lint-staged, postcss, qs, semantic-release, etc.). Adds groups config to .github/dependabot.yml so future minor/patch updates land as ~6 batched PRs by ecosystem instead of one PR per package. Majors stay ungrouped for individual review. @wordpress/eslint-plugin held at v22 because v25 requires eslint 9+, which is a separate migration (legacy .eslintrc → flat config). BREAKING CHANGE: WordPress package majors bring transitive API changes that consumers will receive. Notable risks for downstream repos: @wordpress/scripts 31 may surface new lint rules and changes in jest/babel/webpack defaults; @wordpress/base-styles 7 has SCSS API changes (renamed variables, removed mixins). Consumers should test their build, lint, and test pipelines before upgrading. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates newspack-scripts’s dependency set to newer WordPress/Gutenberg toolchain versions (while staying within eslint@8 constraints) and reduces Dependabot PR churn by batching minor/patch updates into ecosystem-based groups.
Changes:
- Bump
@wordpress/*packages (notably@wordpress/components,@wordpress/icons,@wordpress/base-styles,@wordpress/scripts) and apply a set of minor/patch upgrades for related tooling dependencies. - Add Dependabot
groupsconfiguration to batch minor/patch dependency updates by ecosystem (WordPress, ESLint, testing, release tooling, etc.).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates WordPress and tooling dependency versions (including @wordpress/scripts cap aligned to eslint@8). |
| .github/dependabot.yml | Adds grouped update rules to reduce Dependabot PR volume by batching minor/patch updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Bumps the direct dependency from ^22.22.0 to ^24.5.0 to match the version pinned by @wordpress/scripts@31.8.0. This resolves a duplication where both v22 (root) and v24 (nested under wp-scripts) were installed, making it ambiguous which rules applied to consumers of config/eslintrc.js. v24.5.0 still supports eslint 8 (peer eslint: ">=8"), so this stays within the original eslint 8 compatibility envelope. Addresses Copilot review feedback on PR #233. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates newspack-scripts’ npm dependency set—primarily bumping @wordpress/* packages while keeping compatibility with eslint@8—and adjusts Dependabot configuration to reduce update PR noise by batching minor/patch bumps.
Changes:
- Bumped
@wordpress/*dependencies (including@wordpress/components,@wordpress/icons,@wordpress/base-styles, and@wordpress/scripts) and refreshed several related tooling deps. - Updated various JS tooling dependencies (eslint/jest/lint-staged/postcss/types, etc.) to newer minor/patch releases.
- Added Dependabot
groupsrules to batch minor/patch updates by ecosystem.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates WordPress/tooling dependency versions (eslint@8-compatible) used by newspack-scripts. |
| .github/dependabot.yml | Adds grouped-update configuration to reduce Dependabot PR volume for minor/patch bumps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Upgrades this repo’s WordPress/Gutenberg toolchain dependencies to newer @wordpress/* versions that remain compatible with eslint@8, and tunes Dependabot configuration to reduce dependency update PR noise.
Changes:
- Bump
@wordpress/*packages (notablycomponents,icons,base-styles,scripts) plus several related lint/test tooling dependencies. - Add Dependabot
groupsconfiguration to batch minor/patch npm updates by ecosystem.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates @wordpress/* and other tooling dependency versions (eslint 8–compatible). |
| .github/dependabot.yml | Adds grouped-update rules to reduce Dependabot PR volume. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Now that .github/dependabot.yml groups minor/patch updates into larger PRs, a single grouped PR can bundle many package updates at once. Auto-merging at the minor tier would increase blast radius for PRs that previously contained one package each. Limits auto-merge to patch updates only. Grouped minor-update PRs will require manual review before merge. Addresses Copilot review feedback on PR #233. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates this repo’s WordPress/Gutenberg-related toolchain and Dependabot automation to reduce dependency PR noise while keeping within eslint@8 compatibility constraints.
Changes:
- Bump
@wordpress/*packages (plus related tooling deps) to newer versions compatible witheslint@8. - Add Dependabot
groupsto batch minor/patch updates by ecosystem. - Restrict Dependabot auto-merge workflow from
minor→patchonly to reduce auto-merge blast radius.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates @wordpress/* and other dependency versions used by consumers and CI tooling. |
| .github/workflows/auto-merge.yml | Limits auto-merge to patch-only Dependabot PRs to mitigate grouped-update risk. |
| .github/dependabot.yml | Adds grouped update configuration to batch PRs by ecosystem. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Two related package.json hygiene fixes: 1. Bumps @commitlint/config-conventional ^19.8.1 → ^20.5.3 to match @commitlint/cli@^20. Resolves a duplication where @commitlint/types was installed twice (v19 nested under config-conventional, v20 at root from cli). The misalignment predated this PR; aligning here while we're already touching deps. 2. Adds engines.node ">=18.12.0" so consumers get an early, clear failure on unsupported Node versions instead of cryptic runtime errors. Matches the strictest @wordpress/* engines requirement. Addresses Copilot review feedback on PR #233. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates this repo’s JS toolchain dependencies—primarily @wordpress/* packages—while keeping compatibility with eslint@8, and adjusts Dependabot/auto-merge settings to reduce PR noise without increasing unattended merge risk.
Changes:
- Bump
@wordpress/*dependencies (including@wordpress/scripts@31) and other supporting tooling to newer minor/patch releases. - Add
engines.node >=18.12.0to fail fast on unsupported Node versions. - Group Dependabot minor/patch updates by ecosystem and restrict the auto-merge workflow to patch updates only.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates WordPress/tooling dependencies and adds a Node engine floor. |
| .github/workflows/auto-merge.yml | Restricts Dependabot auto-merge to patch updates to reduce grouped-PR blast radius. |
| .github/dependabot.yml | Adds grouping rules so Dependabot batches minor/patch updates into fewer PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
actions/checkout@v2 runs on the deprecated Node 16 runtime, which GitHub Actions has been phasing out and may cause silent workflow failures. Addresses Copilot review feedback on PR #233. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates newspack-scripts’s dependency set—primarily @wordpress/*—to the latest versions that remain compatible with eslint@8, while also adjusting Dependabot + auto-merge policy to reduce PR noise without increasing auto-merge blast radius.
Changes:
- Bumped
@wordpress/*packages (and a handful of related tooling deps) to newer minor/major versions within the stated eslint compatibility constraints. - Added
engines.node >=18.12.0to surface an early, clear install-time failure on unsupported Node versions. - Grouped Dependabot npm updates by ecosystem and tightened the Dependabot auto-merge workflow to patch-only.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
package.json |
Updates dependency versions and adds a Node engine floor to match updated tooling requirements. |
.github/workflows/auto-merge.yml |
Restricts Dependabot auto-merge to patch updates and updates actions/checkout to v4. |
.github/dependabot.yml |
Introduces grouped update rules so minor/patch updates arrive in a smaller number of batched PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…lication Surgical revert of @wordpress/* packages that don't directly serve the goal of "components and icons at latest", to avoid downstream dep tree shape regressions. Kept at latest: - @wordpress/components ^33.0.0 (priority) - @wordpress/icons ^13.0.0 (priority) - @wordpress/base-styles ^7.0.0 (verified safe in newspack-theme) - @wordpress/scripts ^31.8.0 (build tooling) - @wordpress/eslint-plugin ^24.5.0 (aligned with scripts 31) Tightened to patch-only ranges to prevent cmdk/@radix-ui chain: - @wordpress/block-editor ~15.6.0 - @wordpress/blocks ~15.6.0 - @wordpress/edit-post ~8.33.0 Reverted to original ranges (cosmetic — components 33 forces these higher transitively anyway): - @wordpress/a11y, api-fetch, browserslist-config, compose, data, date, dom-ready, element, escape-html, hooks, html-entities, i18n, keycodes, plugins, prettier-config, stylelint-config, url Why: @wordpress/block-editor 15.18.0 brings @wordpress/commands@1.45 → cmdk@1.1.1 → @radix-ui/* requiring React 19. Combined with @wordpress/element's React ^18.3.0 dep declaration, this caused React duplication in consumer trees that pulled both — breaking hooks at runtime. Pinning block-editor at ~15.6.0 avoids the chain. Verified across 15 downstream Newspack repos: 12 fully clean, 3 with documented consumer-migration tasks (eslint-plugin v24 stricter JSDoc rules; one JSDOM test pattern in popups). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Upgrades the project’s WordPress-related npm dependencies and supporting tooling, while adjusting Dependabot configuration to reduce PR noise and limit auto-merges.
Changes:
- Bumped key
@wordpress/*packages (components,icons,base-styles,scripts) and aligned lint/tooling dependencies. - Added
engines.nodeto enforce a minimum Node version during install. - Added Dependabot grouping rules and tightened the Dependabot auto-merge workflow to patch-only.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates WordPress/tooling dependency versions and adds a Node engines floor. |
| .github/workflows/auto-merge.yml | Restricts Dependabot auto-merge to patch updates and updates actions/checkout to v4. |
| .github/dependabot.yml | Adds grouping rules to bundle minor/patch updates by dependency “ecosystem”. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Closing this. The architectural questions surfaced here belong in #234 rather than this PR — getting input from the team on the broader audit before continuing with incremental upgrade attempts. The branch has been deleted; the commits remain referenced from the issue and can be revisited if useful. |
All Submissions:
Changes proposed in this Pull Request:
Surgical upgrade of the WordPress dependency set, focused on the packages that consumers actively import (
@wordpress/components,@wordpress/icons,@wordpress/base-styles) plus the build/lint tooling chain. Other@wordpress/*packages (block-editor, edit-post, blocks, etc.) are intentionally held at their original ranges to avoid downstream dep-tree-shape regressions — see "Why we held back block-editor" below.Also adds a Dependabot
groups:config to reduce future PR volume and tightens auto-merge to the patch tier so grouped PRs require manual review when they include minor updates.WordPress packages bumped to latest:
@wordpress/components30 → 33@wordpress/icons11 → 13@wordpress/base-styles6 → 7@wordpress/scripts30 → 31 (capped — v32 requireseslint@10)@wordpress/eslint-pluginaligned to^24.5.0(matches@wordpress/scripts@31's pinned version, removing a v22/v24 install-tree duplicate)WordPress packages pinned tighter to avoid the cmdk/@radix-ui React-19 chain:
@wordpress/block-editor~15.6.0@wordpress/blocks~15.6.0@wordpress/edit-post~8.33.0Other
@wordpress/*packages (a11y,api-fetch,compose,data,element, etc.) are declared at their original^X.33.0ranges.@wordpress/components@33transitively forces them to^X.45.0regardless, so the declared ranges are cosmetic; this PR doesn't intentionally bump them.Other cleanup:
@commitlint/config-conventional^19.8.1→^20.5.3to match@commitlint/cli@^20, removing a@commitlint/typesv19/v20 duplicate.engines.node: ">=18.12.0"so consumers on older Node get a clear, earlynpm installfailure instead of cryptic runtime errors.actions/checkout@v2→@v4in.github/workflows/auto-merge.yml(Node 16 runtime is being deprecated by GitHub Actions).This is marked as a breaking change because consumers receive transitive API changes — notably
@wordpress/componentsAPI renames between versions 30/31/32/33,@wordpress/iconsexport changes in v12,@wordpress/base-stylesv7 SCSS API changes, and the newengines.nodefloor.Why we held back block-editor
@wordpress/block-editor@15.18.0(the latest within the original^15.6.0range) brings@wordpress/commands@1.45.0→cmdk@1.1.1→@radix-ui/*packages that require React 19. Meanwhile,@wordpress/element@6.45.0declaresdependencies.react: ^18.3.0(regular dep, not peer). When npm tries to satisfy both in a consumer tree that doesn't pin React explicitly, it puts React 19 at root and keeps React 18 nested inside@wordpress/element. Components and react-dom then load from different React copies, breaking hooks at runtime ("useStatereturns null").This was reproduced in
newspack-plugintesting — without the revert, 78 tests failed and the build broke (@wordpress/dataviews/build-style/style.csscouldn't resolve because dataviews was nested instead of hoisted). Pinning block-editor at~15.6.0keeps the cmdk/Radix chain on its older versions where React resolves cleanly to a single 18.x.This isn't permanent — once consumers' React setup is unified (likely as part of an eslint 9/10 + flat-config migration we've already deferred), block-editor and friends can be bumped in a follow-up PR.
How to test the changes in this Pull Request:
npm install && npm run lint:js— should complete without errors.npm installresolves cleanly (peer-dep warnings aboutreact-autosize-textareawanting react-dom 16 are expected and non-fatal).Downstream test results
15 Newspack repos in
newspack-workspace/repos/were tested against this branch's tarball. 12 are completely clean. 3 have documented consumer-migration tasks (not regressions in this PR's content):newspack-pluginjsdoc/no-undefined-typesflags@returns {JSX.Element}// eslint-disable-next-line jsdoc/no-undefined-typesor import the JSX namespace properly. The stricter rule comes from@wordpress/eslint-pluginv22→v24.newspack-managernewspack-plugin.newspack-popupssetWindowLocationtest usesdelete window.location; window.location = {}@wordpress/scripts@31) blocks this pattern. UseObject.defineProperty(window, 'location', ...)orjest.spyOninstead.All other 12 repos pass
install,lint:js,lint:scss(where present),build, andtest(where present) cleanly. Repos tested: newspack-ads, newspack-block-theme, newspack-blocks, newspack-listings, newspack-manager-client, newspack-multibranded-site, newspack-network, newspack-newsletters, newspack-sponsors, newspack-theme, republication-tracker-tool, super-cool-ad-inserter-plugin.Other information:
npm run lint:jspasses; downstream testing complete — see results above)