Skip to content

build(deps-dev): bump @types/node from 25.9.3 to 26.0.0 in the typescript group#2835

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/typescript-3bc154b33b
Open

build(deps-dev): bump @types/node from 25.9.3 to 26.0.0 in the typescript group#2835
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/typescript-3bc154b33b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the typescript group with 1 update: @types/node.

Updates @types/node from 25.9.3 to 26.0.0

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note

Low Risk
Dev-only TypeScript typings bump with no production code changes; main risk is possible compile-time type errors if Node 26 typings differ from usage.

Overview
Bumps the typescript dev dependency group in injected/package.json by upgrading @types/node from 25.9.3 to 26.0.0, with matching lockfile updates in package-lock.json.

The lockfile also pulls in undici-types ~8.3.0 (replacing the prior 7.24.x range tied to the older @types/node release). No runtime or application source files are modified.

Reviewed by Cursor Bugbot for commit b4d3fdb. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps the typescript group with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).


Updates `@types/node` from 25.9.3 to 26.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: typescript
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Update one or more dependencies version major Increment the major version when merged labels Jul 3, 2026
@dependabot dependabot Bot requested review from a team and daxtheduck as code owners July 3, 2026 10:52
@dependabot dependabot Bot added dependencies Update one or more dependencies version major Increment the major version when merged labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Branch

Branch pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
Commit c2d699466c
Updated July 3, 2026 at 10:53:42 AM UTC

Static preview entry points

QR codes (mobile preview)
Entry point QR code
Docs QR for docs preview
Static pages QR for static pages preview
Integration pages QR for integration pages preview

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#c2d699466c89cd59f050267fb671e45dc063c6cb

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "c2d699466c89cd59f050267fb671e45dc063c6cb")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-3bc154b33b
git -C submodules/content-scope-scripts checkout c2d699466c89cd59f050267fb671e45dc063c6cb

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Injected PR Evaluation: Web Compatibility & Security

Assessed on: PR opened (9a746adb4d3fdb)


Web Compatibility Assessment

No findings.

This PR only bumps @types/node (^25.9.3^26.0.0) in injected/package.json and package-lock.json. @types/node is a devDependency providing TypeScript type definitions for Node.js APIs used in build scripts, unit tests, and Playwright integration tests — it is not bundled into page-world content-scope scripts.

  • No changes to injected/src/, wrapper-utils.js, captured-globals.js, messaging, or message bridge.
  • No API overrides, DOM manipulation, prototype patches, or platform entry-point changes.
  • node: imports in the repo are confined to test helpers and build scripts, not runtime injected bundles.

Security Assessment

No findings.

  • No impact on captured globals, messaging trust boundaries, origin validation, or message bridge security.
  • No new network requests, postMessage usage, or dynamic code execution.
  • Transitive undici-types bump (7.24.68.3.0) is dev-only type definitions with no runtime footprint.

Risk Level

Low Risk — dev-only TypeScript type definition bump with zero injected runtime code changes and no page-world API surface impact.


Recommendations

  1. Merge after CI green — standard hygiene; no injected-specific blockers identified.
  2. Verified locally: npm run tsc and npm run tsc-strict-core both pass on this branch.
Open in Web View Automation 

Sent by Cursor Automation: Web compat and sec

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency update risk assessment: @types/node 25.9.3 → 26.0.0

Verdict: Low runtime risk, moderate typing-alignment risk — recommend closing in favor of aligning types with the Node 22 runtime.

A follow-up fix PR has been opened separately (not pushed to this branch) to pin @types/node to ^22.20.0 and block future major Dependabot bumps.


What changed

Package Before After
@types/node 25.9.3 26.0.0
undici-types (transitive) 7.24.6 8.3.0

Scope is limited to injected/package.json and package-lock.json. This is a devDependency only — no production/runtime bundle impact.


Changelog / type-surface impact (from DefinitelyTyped #75025)

@types/node v26 tracks the Node.js 26 API surface. Notable changes:

  • Large crypto type cleanup (buffer input types, deprecated CipherKeyKeyLike)
  • Removed deprecated/orphaned interfaces in buffer, fs, perf_hooks, util, worker_threads
  • child_process exec()/execFile() error typing rework (stdout/stderr may be string | Buffer)
  • Requires TypeScript 5.6+ (repo uses TS 6.0.3 ✅)
  • undici-types major bump to v8.x (fetch/Request/Response typings)

Impact on this repo: This codebase uses a narrow subset of Node APIs in type-checked paths (node:fs, node:path, node:os, node:child_process exec, process.env, process.platform). No direct node:crypto or node:http2 usage was found in checked code. Both npm run tsc and npm run tsc-strict-core pass with v26.


Confirmed concern: runtime vs. types version mismatch

.nvmrc and CI use Node 22, but @types/node major versions track Node.js major versions:

  • @types/node@22.x → Node 22 APIs
  • @types/node@26.x → Node 26 APIs (including APIs not present on Node 22)

main already has a mismatch (@types/node@^25.9.3 vs Node 22). This PR widens that gap. Accepting v26 types could let code type-check against Node 26-only APIs that would fail at runtime on Node 22.

Validation performed: npm run tsc and npm run tsc-strict-core both pass with v25.9.3, v26.0.0, and v22.20.0 — no new type errors surfaced in the current codebase.


Test coverage

There are no unit tests targeting @types/node directly (expected for a type-only devDependency). The validation path is:

  • npm run tsc (repo-wide checkJs type checking)
  • npm run tsc-strict-core (strict mode on injected core files)

Both pass with the proposed version. This provides reasonable but indirect coverage — it confirms existing code still type-checks, not that Node 26-only APIs are avoided.


Is this dependency still needed?

Yes. @types/node is required for JSDoc/TypeScript checking of node:* imports in injected/scripts/, injected/unit-test/, and injected/integration-test/ (e.g. node:fs, node:path, node:child_process).

Better practice: Pin @types/node major version to match .nvmrc (Node 22 → ^22.x), and update both together when upgrading the runtime.


Supply chain risk

Low.

  • @types/node and undici-types are MIT-licensed, maintained by DefinitelyTyped
  • Lockfile includes integrity hashes for both packages
  • Dev-only dependency with no install scripts
  • No new direct dependencies introduced

Note: web-extchrome-launcher still pulls @types/node@25.x transitively, but the workspace's direct resolution takes precedence for type checking.


Recommendation

  1. Close or skip this Dependabot PR — the major bump does not match the Node 22 runtime.
  2. Merge the separate fix PR that pins @types/node to ^22.20.0 and adds a Dependabot ignore for @types/node semver-major updates.
  3. When upgrading Node (.nvmrc), bump @types/node major version in the same change.
Open in Web View Automation 

Sent by Cursor Automation: Review dependabot

Comment thread injected/package.json
"@types/chrome": "^0.1.43",
"@types/jasmine": "^6.0.0",
"@types/node": "^25.9.3",
"@types/node": "^26.0.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version alignment risk: @types/node major versions map to Node.js major versions. This bump targets the Node 26 API surface, but .nvmrc and CI use Node 22. main already has a v25/v22 mismatch; this widens it further.

npm run tsc and npm run tsc-strict-core both pass with v26 in the current codebase, so there are no immediate type errors — but future code could type-check against Node 26-only APIs unavailable at runtime.

Recommend pinning to ^22.x to match .nvmrc instead (see separate fix PR).

@cursor cursor Bot mentioned this pull request Jul 3, 2026
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Update one or more dependencies version major Increment the major version when merged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants