Updated dependencies

[carterworks]

Changed Packages

• core
• reactor-extension

(Also touches @adobe/alloy browser package, @adobe/alloy-node, and sandboxes/browser.)

Description

Bumps dev and transitive dependencies across the monorepo, then resolves the resulting build/lint/test breakages. Commits are kept small and atomic for easy review (one dependency or coordinated group per commit).

Notable updates:

• TypeScript 5.9 → 6.0.3 (stricter rootDir enforcement; see fix below).
• ESLint 9 → 10 + @eslint/js 10 (new rules: preserve-caught-error, no-useless-assignment).
• Vitest ecosystem → 4.1.5, Playwright → 1.59.1, MSW → 2.14.3.
• Vite 7 → 8.0.10 in sandboxes/browser, with @vitejs/plugin-react → 6.0.1.
• Rollup → 4.60.3 (path traversal fix), @rollup/plugin-commonjs → 29.0.2, @rollup/plugin-terser → 1.0.0, rollup-plugin-license → 3.7.1.
• React-router → 7.15.0 (XSS fix), Puppeteer → 24.43.0, TestCafe → 3.7.4.
• pnpm overrides added for transitive vulnerabilities in lodash, minimatch (via jshint), underscore, and yaml.

Source/config fixes required by the bumps:

• packages/browser/jsconfig.json: explicit "rootDir": ".." so paths referring to ../core/src/* keep resolving under TS 6's stricter rootDir checks (TS5011).
• packages/browser/src/components/PushNotifications/helpers/serviceWorkerPushListener.js: refactor NotificationOptions construction via a Record<string, unknown> with conditional property assignment to satisfy TS 6's narrowing.
• packages/core/src/core/buildAndValidateConfig.js, validateCommandOptions.js: attach the original error via cause (ESLint 10 preserve-caught-error).
• packages/core/src/utils/createDecodeKndctrCookie.js: drop a dead assignment caught by no-useless-assignment.

Related Issue

N/A — routine maintenance / vulnerability cleanup.

Motivation and Context

Several dev dependencies had outstanding security advisories (rollup path traversal, react-router XSS, transitive lodash/yaml/underscore/minimatch issues). Pulling everything forward also unblocks Vitest 4 / MSW 2.14 features and gets us off the EOL TypeScript 5 line.

Screenshots (if appropriate):

N/A.

Documentation

N/A — no consumer-facing API change.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (non-breaking change which does not add functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have added a Changeset file with a consumer-facing description of my changes. (Not needed — dev-only dependency bumps with no consumer impact.)
• I have signed the Adobe Open Source CLA or I'm an Adobe employee.
• I have made any necessary test changes and all tests pass. (pnpm test: 2671 passed, 5 skipped, 0 failed; pnpm build succeeds across all packages.)
• I have run the Sandbox successfully.

Note

Stacked on top of #1501 (test fixture fix needed for the suite to pass). Once that merges, this PR's base will retarget to main.

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 40ec20a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR