refactor: Bump lint-staged from 16.2.7 to 16.4.0

[mtrezza]

Closes #10367

Summary

Bumps lint-staged from 16.2.7 to 16.4.0 (devDependency).

Changes included in this update

16.4.0 (Minor)

• Replace micromatch with picomatch to reduce dependencies

16.3.4 (Patch)

• Update dependencies, including tinyexec@1.0.4 to prefer local node_modules/.bin

16.3.3 (Patch)

• Fix Git CRLF line-ending warning interfering with backup stash creation

16.3.2 (Patch)

• Hide extra cmd window on Windows by not spawning tasks as detached

16.3.1 (Patch)

• Remove unused nano-spawn from package.json

16.3.0 (Minor)

• Replace nano-spawn with tinyexec for running external processes
• Remove pidtree dependency, use process groups for killing sub-processes
• Fix exhaustive detection of incorrect brace expansions

Risk assessment

Low risk. All changes are internal refactoring (dependency swaps, bug fixes). No API changes. lint-staged is a devDependency only.

Summary by CodeRabbit

• Chores
  • Updated development tooling dependencies to latest versions for improved code quality and performance during development.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4269b211-4d3f-4a54-9cc1-1d41aed05d37

📥 Commits

Reviewing files that changed from the base of the PR and between 8a581e9 and 39bb7c5.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Updated the lint-staged development dependency from 16.2.7 to 16.4.0, including internal dependency tree adjustments in the lockfile. Upstream changes include replacing micromatch with picomatch, introducing tinyexec, removing nano-spawn and pidtree, and updating minor versions of commander and yaml.

Changes

Cohort / File(s)	Summary
Dependency Version Bump package.json	Updated lint-staged devDependency from 16.2.7 to 16.4.0.
Lockfile Resolution package-lock.json	Updated lint-staged and its dependency tree: bumped commander (^14.0.2 → ^14.0.3), picomatch (^4.0.8 → ^4.0.3), yaml (^2.8.1 → ^2.8.2); added tinyexec ^1.0.4; removed micromatch, nano-spawn, pidtree entries and corresponding top-level dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• refactor: Bump lint-staged from 16.1.0 to 16.2.7 #10296: Bumped lint-staged to 16.2.7 in a prior update; this PR further bumps it to 16.4.0 as a follow-up version increment.

🚥 Pre-merge checks | ✅ 6 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Human Review	⚠️ Warning	No visible evidence of human review of code changes in git repository; PR template checklist items not documented and PR remains open.	Complete PR template checklist, run and document CI/unit tests, verify pre-commit hooks, validate pattern matching, test Windows spawn behavior, and add evidence as PR comments.
Engage In Review Feedback	❓ Inconclusive	Custom check cannot be verified because GitHub PR review comments and discussions are not accessible in the repository codebase.	Visit #10368 to review PR comments and assess whether the author engaged with reviewer feedback.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'refactor: Bump lint-staged from 16.2.7 to 16.4.0' begins with the required 'refactor:' prefix and clearly summarizes the main change.
Description check	✅ Passed	The PR description is comprehensive, covering the issue closure, detailed summary of changes across versions, and risk assessment, though it uses a custom format rather than the template structure.
Linked Issues check	✅ Passed	The PR meets the linked issue #10367 objectives by updating package.json and lockfile to bump lint-staged 16.2.7→16.4.0 and providing detailed verification notes on behavioral changes.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only package.json and package-lock.json updated to bump lint-staged with no unrelated modifications to the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	The PR updates lint-staged from 16.2.7 to 16.4.0 with no security vulnerabilities introduced. All packages resolve from legitimate npm registry with verified integrity hashes. The update reduces dependencies and improves security posture.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.510)

package.json

2026-03-31 12:36:02,244 [MainThread ] [ERROR] Template file not found: package.json
2026-03-31 12:36:02,253 [MainThread ] [ERROR] Template file not found: package.json
2026-03-31 12:36:02,264 [MainThread ] [ERROR] Template file not found: package.json
2026-03-31 12:36:02,348 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

ck__)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'
2026-03-31 12:36:02,377 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.52%. Comparing base (8a581e9) to head (39bb7c5).
⚠️ Report is 5 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10368      +/-   ##
==========================================
+ Coverage   92.11%   92.52%   +0.41%     
==========================================
  Files         192      192              
  Lines       16566    16566              
  Branches      231      231              
==========================================
+ Hits        15259    15327      +68     
+ Misses       1281     1217      -64     
+ Partials       26       22       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.7.1-alpha.2