chore(deps): batch dependabot updates (hold back incompatible majors) by hoangsnowy · Pull Request #34 · hoangsnowy/loopbridge

hoangsnowy · 2026-05-27T14:49:53Z

Summary

Cherry-picks the open dependabot updates onto one branch so they land as a single reviewable batch with a coherent, regenerated lockfile. 13 of the 14 open dependabot PRs are integrated.

Integrated (13)

GitHub Actions: actions/checkout 5→6, actions/setup-node 5→6, softprops/action-gh-release 2→3, github/codeql-action 3→4.
npm (safe minor/patch): @types/react 19.2.15, postcss 8.5.15, @types/node 25.9.1, @typescript-eslint/{eslint-plugin,parser} 8.59.4, typescript-eslint 8.59.4, @tanstack/react-query 5.100.14, @tanstack/react-virtual 3.13.25, @cyclonedx/cdxgen 12.4.3, @vitest/coverage-v8 4.1.7, vitest 4.1.7.

Held back — incompatible majors

electron 41→42 (chore(deps-dev): bump electron from 41.7.1 to 42.3.0 in the electron group across 1 directory #12): not cherry-picked. Hard rule in CLAUDE.md — Electron 42 ships node 22 cppgc/heap.h using a GCC builtin MSVC lacks, and better-sqlite3 has no Electron-42 prebuild. Native rebuild explodes on Windows.
eslint 9→10 (from the eslint group, chore(deps-dev): bump the eslint group across 1 directory with 3 updates #27): reverted to ^9.36.0. eslint-plugin-react@7.37.5 peers eslint <=9.7; eslint 10 fails npm install (ERESOLVE). The group's @typescript-eslint 8.59.4 bump is kept.
vite 7→8 + @vitejs/plugin-react 5→6 (from the vite group, chore(deps-dev): bump the vite group across 1 directory with 3 updates #29): reverted to ^7.0.0 / ^5.0.0. electron-vite@5 peers vite ^5||^6||^7; vite 8 fails npm install (ERESOLVE). The group's vitest 4.1.7 bump is kept.

Lockfile

Regenerated to a canonical fixed point under npm@11.6.2 install --package-lock-only (the exact command the lockfile guardrail runs), so the lockfile in sync check passes.

Test plan

npm run lint -- --max-warnings 0 — clean
npm run typecheck — clean (both tsconfigs)
npm test — 95/95 passing
npm run build — all three bundles built (vite 7.3.3)
npm install --package-lock-only produces no drift (guardrail mirror)
CI matrix (ubuntu + windows) green

Follow-ups (need maintainer decision)

Close the 13 superseding dependabot PRs after merge (cherry-picks have different SHAs, so they won't auto-close).
chore(deps-dev): bump electron from 41.7.1 to 42.3.0 in the electron group across 1 directory #12 (electron 42): leave open / close with a "blocked: MSVC + better-sqlite3" note.
eslint 10 / vite 8 will stay blocked until eslint-plugin-react and electron-vite ship compatible peer ranges.

Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2 to 3. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@v2...v3) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the react group with 1 update: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). Updates `@types/react` from 19.2.14 to 19.2.15 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) --- updated-dependencies: - dependency-name: "@types/react" dependency-version: 19.2.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: react ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the tailwind group with 1 update: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.5.14 to 8.5.15 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.14...8.5.15) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: tailwind ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the eslint group with 3 updates in the / directory: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [eslint](https://github.com/eslint/eslint). Updates `@typescript-eslint/eslint-plugin` from 8.59.3 to 8.59.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.59.3 to 8.59.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/parser) Updates `eslint` from 9.39.4 to 10.4.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.39.4...v10.4.0) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.59.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: eslint - dependency-name: "@typescript-eslint/parser" dependency-version: 8.59.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: eslint - dependency-name: eslint dependency-version: 10.4.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: eslint ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the types group with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 25.9.0 to 25.9.1 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.9.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: types ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the vite group with 3 updates in the / directory: [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `@vitejs/plugin-react` from 5.2.0 to 6.0.2 - [Release notes](https://github.com/vitejs/vite-plugin-react/releases) - [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.2/packages/plugin-react) Updates `vite` from 7.3.3 to 8.0.14 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.14/packages/vite) Updates `vitest` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.7/packages/vitest) --- updated-dependencies: - dependency-name: "@vitejs/plugin-react" dependency-version: 6.0.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: vite - dependency-name: vite dependency-version: 8.0.14 dependency-type: direct:development update-type: version-update:semver-major dependency-group: vite - dependency-name: vitest dependency-version: 4.1.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: vite ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the tanstack group with 2 updates: [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) and [@tanstack/react-virtual](https://github.com/TanStack/virtual/tree/HEAD/packages/react-virtual). Updates `@tanstack/react-query` from 5.100.10 to 5.100.14 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.14/packages/react-query) Updates `@tanstack/react-virtual` from 3.13.24 to 3.13.25 - [Release notes](https://github.com/TanStack/virtual/releases) - [Changelog](https://github.com/TanStack/virtual/blob/main/packages/react-virtual/CHANGELOG.md) - [Commits](https://github.com/TanStack/virtual/commits/@tanstack/react-virtual@3.13.25/packages/react-virtual) --- updated-dependencies: - dependency-name: "@tanstack/react-query" dependency-version: 5.100.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tanstack - dependency-name: "@tanstack/react-virtual" dependency-version: 3.13.25 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: tanstack ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.59.3 to 8.59.4. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/typescript-eslint) --- updated-dependencies: - dependency-name: typescript-eslint dependency-version: 8.59.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@cyclonedx/cdxgen](https://github.com/cdxgen/cdxgen) from 12.4.1 to 12.4.3. - [Release notes](https://github.com/cdxgen/cdxgen/releases) - [Commits](cdxgen/cdxgen@v12.4.1...v12.4.3) --- updated-dependencies: - dependency-name: "@cyclonedx/cdxgen" dependency-version: 12.4.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.7/packages/coverage-v8) --- updated-dependencies: - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.7 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot and others added 14 commits May 27, 2026 21:22

chore(deps): regenerate lockfile after dependency batch

99fe72d

hoangsnowy merged commit 75722b7 into main May 27, 2026
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): batch dependabot updates (hold back incompatible majors)#34

chore(deps): batch dependabot updates (hold back incompatible majors)#34
hoangsnowy merged 14 commits into
mainfrom
chore/deps-batch

hoangsnowy commented May 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

hoangsnowy commented May 27, 2026

Summary

Integrated (13)

Held back — incompatible majors

Lockfile

Test plan

Follow-ups (need maintainer decision)

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant