Skip to content

bump dependencies#10

Merged
alexpate merged 2 commits intomainfrom
chore/dep-bumps
Apr 17, 2026
Merged

bump dependencies#10
alexpate merged 2 commits intomainfrom
chore/dep-bumps

Conversation

@alexpate
Copy link
Copy Markdown
Contributor

@alexpate alexpate commented Apr 17, 2026

Summary

  • Bump dependencies across the catalog, root, and packages/passmint devDeps
  • Clears all 16 pnpm audit findings (0 vulnerabilities after); all transitive via @cloudflare/vitest-pool-workers and tsdown

Major version bumps

  • @biomejs/biome 1.9 → 2.4 (config migrated via biome migrate; organizeImports is now an assist)
  • typescript 5.7 → 6.0
  • vitest 2.1 → 4.1
  • tsdown 0.10 → 0.21
  • @cloudflare/vitest-pool-workers 0.5 → 0.14

Minor bumps

  • @changesets/cli 2.27 → 2.30
  • turbo 2.3 → 2.9
  • @peculiar/asn1-* 2.3 → 2.6
  • @arethetypeswrong/cli 0.17 → 0.18
  • publint 0.3.2 → 0.3.18

Config / code follow-ups required by the bumps

  • tsdown.config.ts: externaldeps.neverBundle; added fixedExtension: false to keep dist/index.js (tsdown 0.21 defaults to .mjs)
  • vitest.workers.config.ts: migrated from defineWorkersConfig('@cloudflare/vitest-pool-workers/config') to cloudflareTest() plugin +
    defineConfig (the /config subpath was removed in 0.14)
  • biome.json: migrated to 2.x schema
  • Biome 2 auto-applied import sort + JSON array formatting across 13 files (cosmetic)
  • Added pnpm.overrides.vite: ^7.1.0 — vitest 4 peers on Vite ≥6 but the lockfile was resolving to 5

Test plan

  • pnpm audit — 0 vulnerabilities (was 16)
  • pnpm lint clean
  • pnpm type-check clean
  • pnpm test — 258/258 passed
  • pnpm test:workers — 3/3 passed
  • pnpm build — bundle 11.26 KB gzipped (under 15 KB budget), 44.33 KB with deps (under 50 KB budget)
  • pnpm --filter passmint run bundle-guard — zero node:* refs
  • pnpm --filter passmint run publint — clean
  • pnpm --filter passmint run attw — clean on esm-only profile

@alexpate alexpate marked this pull request as ready for review April 17, 2026 09:23
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 17, 2026
edited
Loading

Greptile Summary

This PR bumps all major and minor dependencies across the monorepo, clearing 16 pnpm audit vulnerabilities and migrating configs to match the new APIs of Biome 2.x, tsdown 0.21, @cloudflare/vitest-pool-workers 0.14, and vitest 4.1. Source file changes are cosmetic (Biome 2 auto-applied import sorting).

Key changes:

  • @biomejs/biome 1.9 → 2.4: config migrated to new includes/assist schema; noConsole rule correctly set to \"error\" with no allow-list (previous thread concern resolved); noRestrictedImports promoted from nurserystyle with matching override update
  • typescript 5.9 → 6.0, vitest 2.1 → 4.1, tsdown 0.10 → 0.21, @cloudflare/vitest-pool-workers 0.5 → 0.14
  • tsdown.config.ts: externaldeps.neverBundle; explicit fixedExtension: false to preserve .js output extension
  • vitest.workers.config.ts: migrated from removed defineWorkersConfig('/config') API to cloudflareTest() plugin + defineConfig
  • Added pnpm.overrides.vite: ^7.1.0 to prevent lockfile from resolving to Vite 5
  • All 258 unit tests, 3 workers tests, lint, type-check, and build budget checks pass per the PR test plan

Confidence Score: 5/5

Safe to merge — all config migrations are correct, tests pass, and no vulnerabilities remain

Comprehensive test plan was executed (258 unit tests, 3 workers tests, lint, type-check, build budget, publint, attw), all 16 audit vulnerabilities cleared, config migrations correctly follow the new APIs for every bumped tool, and the prior review concern about noConsole was already addressed

No files require special attention

Important Files Changed

Filename Overview
biome.json Correctly migrated from Biome 1.9 to 2.x schema: organizeImports moved to assist, files.ignore replaced by files.includes negation patterns, noRestrictedImports promoted from nursery to style with matching override, and noConsole: "error" set without allow-list (prior thread concern resolved)
packages/passmint/tsdown.config.ts Correctly migrated from deprecated external to deps.neverBundle for tsdown 0.21; fixedExtension: false explicitly set to keep .js output (not .mjs) consistent with the exports field in package.json
packages/passmint/vitest.workers.config.ts Correctly migrated from removed defineWorkersConfig('@cloudflare/vitest-pool-workers/config') to the new cloudflareTest() plugin + defineConfig API in @cloudflare/vitest-pool-workers 0.14
package.json Root devDeps bumped and pnpm.overrides.vite: ^7.1.0 added to force Vite 7 resolution (vitest 4 requires Vite ≥6 but lockfile was resolving Vite 5)
pnpm-workspace.yaml All catalog version specifiers updated; @cloudflare/vitest-pool-workers added to catalog at ^0.14.7
pnpm-lock.yaml Lockfile regenerated to reflect all bumped versions; overrides: vite: ^7.1.0 appears at the top level; all peer dependency resolutions look consistent
packages/passmint/src/index.ts Cosmetic-only: Biome 2 auto-reordered exports alphabetically; no functional changes to the public API surface
packages/passmint/package.json @cloudflare/vitest-pool-workers moved from pinned ^0.5 to catalog reference; cosmetic formatting of files array by Biome 2

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Before["Before (versions bumped)"]
        B1["biome 1.9\norganizeImports top-level\nfiles.ignore\nnursery.noRestrictedImports"]
        B2["tsdown 0.10\nexternal: [/^node:/]"]
        B3["@cloudflare/vitest-pool-workers 0.5\ndefineWorkersConfig('/config')"]
        B4["vitest 2.1 + vite 5\n(lockfile resolved)"]
        B5["typescript 5.9"]
    end

    subgraph After["After (this PR)"]
        A1["biome 2.4\nassist.organizeImports\nfiles.includes negation\nstyle.noRestrictedImports\nnoConsole: error"]
        A2["tsdown 0.21\ndeps.neverBundle: [/^node:/]\nfixedExtension: false"]
        A3["@cloudflare/vitest-pool-workers 0.14\ncloudflareTest() plugin\n+ defineConfig"]
        A4["vitest 4.1 + vite 7.3\n(pnpm.overrides.vite ^7.1)"]
        A5["typescript 6.0"]
    end

    B1 -->|biome migrate| A1
    B2 -->|API renamed| A2
    B3 -->|/config subpath removed| A3
    B4 -->|override added| A4
    B5 -->|major bump| A5

    A1 & A2 & A3 & A4 & A5 --> Result["0 pnpm audit vulnerabilities\n258/258 unit tests pass\n3/3 workers tests pass\nbuild budget ✓"]
Loading

Reviews (2): Last reviewed commit: "invert log statement" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 17, 2026
View reviewed changes
Comment thread biome.json Outdated
@alexpate
Copy link
Copy Markdown
Contributor Author

alexpate commented Apr 17, 2026

@greptile review and summary

@alexpate alexpate merged commit c370eda into main Apr 17, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexpate