build(deps-dev): bump @types/node from 25.9.3 to 26.0.0 in the typescript group#2835
build(deps-dev): bump @types/node from 25.9.3 to 26.0.0 in the typescript group#2835dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the typescript group with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 25.9.3 to 26.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 26.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: typescript ... Signed-off-by: dependabot[bot] <support@github.com>
Build Branch
Static preview entry points
QR codes (mobile preview)
Integration commandsnpm (Android / Extension): Swift Package Manager (Apple): .package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b")git submodule (Windows): git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33bPin to exact commitnpm (Android / Extension): Swift Package Manager (Apple): .package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "c2d699466c89cd59f050267fb671e45dc063c6cb")git submodule (Windows): git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
git -C submodules/content-scope-scripts checkout c2d699466c89cd59f050267fb671e45dc063c6cb |
There was a problem hiding this comment.
Injected PR Evaluation: Web Compatibility & Security
Assessed on: PR opened (9a746ad → b4d3fdb)
Web Compatibility Assessment
No findings.
This PR only bumps @types/node (^25.9.3 → ^26.0.0) in injected/package.json and package-lock.json. @types/node is a devDependency providing TypeScript type definitions for Node.js APIs used in build scripts, unit tests, and Playwright integration tests — it is not bundled into page-world content-scope scripts.
- No changes to
injected/src/,wrapper-utils.js,captured-globals.js, messaging, or message bridge. - No API overrides, DOM manipulation, prototype patches, or platform entry-point changes.
node:imports in the repo are confined to test helpers and build scripts, not runtime injected bundles.
Security Assessment
No findings.
- No impact on captured globals, messaging trust boundaries, origin validation, or message bridge security.
- No new network requests,
postMessageusage, or dynamic code execution. - Transitive
undici-typesbump (7.24.6→8.3.0) is dev-only type definitions with no runtime footprint.
Risk Level
Low Risk — dev-only TypeScript type definition bump with zero injected runtime code changes and no page-world API surface impact.
Recommendations
- Merge after CI green — standard hygiene; no injected-specific blockers identified.
- Verified locally:
npm run tscandnpm run tsc-strict-coreboth pass on this branch.
Sent by Cursor Automation: Web compat and sec
There was a problem hiding this comment.
Dependency update risk assessment: @types/node 25.9.3 → 26.0.0
Verdict: Low runtime risk, moderate typing-alignment risk — recommend closing in favor of aligning types with the Node 22 runtime.
A follow-up fix PR has been opened separately (not pushed to this branch) to pin @types/node to ^22.20.0 and block future major Dependabot bumps.
What changed
| Package | Before | After |
|---|---|---|
@types/node |
25.9.3 | 26.0.0 |
undici-types (transitive) |
7.24.6 | 8.3.0 |
Scope is limited to injected/package.json and package-lock.json. This is a devDependency only — no production/runtime bundle impact.
Changelog / type-surface impact (from DefinitelyTyped #75025)
@types/node v26 tracks the Node.js 26 API surface. Notable changes:
- Large
cryptotype cleanup (buffer input types, deprecatedCipherKey→KeyLike) - Removed deprecated/orphaned interfaces in
buffer,fs,perf_hooks,util,worker_threads child_processexec()/execFile()error typing rework (stdout/stderrmay bestring | Buffer)- Requires TypeScript 5.6+ (repo uses TS 6.0.3 ✅)
undici-typesmajor bump to v8.x (fetch/Request/Response typings)
Impact on this repo: This codebase uses a narrow subset of Node APIs in type-checked paths (node:fs, node:path, node:os, node:child_process exec, process.env, process.platform). No direct node:crypto or node:http2 usage was found in checked code. Both npm run tsc and npm run tsc-strict-core pass with v26.
Confirmed concern: runtime vs. types version mismatch
.nvmrc and CI use Node 22, but @types/node major versions track Node.js major versions:
@types/node@22.x→ Node 22 APIs@types/node@26.x→ Node 26 APIs (including APIs not present on Node 22)
main already has a mismatch (@types/node@^25.9.3 vs Node 22). This PR widens that gap. Accepting v26 types could let code type-check against Node 26-only APIs that would fail at runtime on Node 22.
Validation performed: npm run tsc and npm run tsc-strict-core both pass with v25.9.3, v26.0.0, and v22.20.0 — no new type errors surfaced in the current codebase.
Test coverage
There are no unit tests targeting @types/node directly (expected for a type-only devDependency). The validation path is:
npm run tsc(repo-widecheckJstype checking)npm run tsc-strict-core(strict mode on injected core files)
Both pass with the proposed version. This provides reasonable but indirect coverage — it confirms existing code still type-checks, not that Node 26-only APIs are avoided.
Is this dependency still needed?
Yes. @types/node is required for JSDoc/TypeScript checking of node:* imports in injected/scripts/, injected/unit-test/, and injected/integration-test/ (e.g. node:fs, node:path, node:child_process).
Better practice: Pin @types/node major version to match .nvmrc (Node 22 → ^22.x), and update both together when upgrading the runtime.
Supply chain risk
Low.
@types/nodeandundici-typesare MIT-licensed, maintained by DefinitelyTyped- Lockfile includes integrity hashes for both packages
- Dev-only dependency with no install scripts
- No new direct dependencies introduced
Note: web-ext → chrome-launcher still pulls @types/node@25.x transitively, but the workspace's direct resolution takes precedence for type checking.
Recommendation
- Close or skip this Dependabot PR — the major bump does not match the Node 22 runtime.
- Merge the separate fix PR that pins
@types/nodeto^22.20.0and adds a Dependabot ignore for@types/nodesemver-major updates. - When upgrading Node (
.nvmrc), bump@types/nodemajor version in the same change.
Sent by Cursor Automation: Review dependabot
| "@types/chrome": "^0.1.43", | ||
| "@types/jasmine": "^6.0.0", | ||
| "@types/node": "^25.9.3", | ||
| "@types/node": "^26.0.0", |
There was a problem hiding this comment.
Version alignment risk: @types/node major versions map to Node.js major versions. This bump targets the Node 26 API surface, but .nvmrc and CI use Node 22. main already has a v25/v22 mismatch; this widens it further.
npm run tsc and npm run tsc-strict-core both pass with v26 in the current codebase, so there are no immediate type errors — but future code could type-check against Node 26-only APIs unavailable at runtime.
Recommend pinning to ^22.x to match .nvmrc instead (see separate fix PR).


Bumps the typescript group with 1 update: @types/node.
Updates
@types/nodefrom 25.9.3 to 26.0.0Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsNote
Low Risk
Dev-only TypeScript typings bump with no production code changes; main risk is possible compile-time type errors if Node 26 typings differ from usage.
Overview
Bumps the typescript dev dependency group in
injected/package.jsonby upgrading@types/nodefrom 25.9.3 to 26.0.0, with matching lockfile updates inpackage-lock.json.The lockfile also pulls in
undici-types~8.3.0 (replacing the prior 7.24.x range tied to the older@types/noderelease). No runtime or application source files are modified.Reviewed by Cursor Bugbot for commit b4d3fdb. Bugbot is set up for automated code reviews on this repo. Configure here.