Skip to content

deps(web): bump the web-minor-patch group with 21 updates#145

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/web-minor-patch-1de97fce7e
Open

deps(web): bump the web-minor-patch group with 21 updates#145
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/web-minor-patch-1de97fce7e

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the web-minor-patch group with 21 updates:

Package From To
@playwright/test 1.61.0 1.61.1
lint-staged 17.0.7 17.0.8
prettier 3.8.4 3.9.1
react-doctor 0.5.6 0.5.8
turbo 2.9.18 2.10.0
@base-ui/react 1.5.0 1.6.0
@tanstack/react-query 5.101.0 5.101.2
@tanstack/react-query-devtools 5.101.0 5.101.2
@tanstack/react-router 1.170.15 1.170.16
lucide-react 1.18.0 1.22.0
shadcn 4.11.0 4.12.0
typescript-eslint 8.61.1 8.62.0
vite 8.0.16 8.1.0
@tanstack/query-sync-storage-persister 5.101.0 5.101.2
@tanstack/react-query-persist-client 5.101.0 5.101.2
@tanstack/react-virtual 3.14.3 3.14.4
motion 12.40.0 12.42.0
nanoid 5.1.11 5.1.16
recharts 3.8.1 3.9.0
shiki 4.2.0 4.3.0
@vitejs/plugin-react 6.0.2 6.0.3

Updates @playwright/test from 1.61.0 to 1.61.1

Release notes

Sourced from @​playwright/test's releases.

v1.61.1

Bug Fixes

  • #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
  • #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
  • #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
  • #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
  • #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks
Commits
  • 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
  • 4328122 chore: mark v1.61.1 (#41404)
  • 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
  • 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
  • 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
  • b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
  • b5a3175 cherry-pick(#41319): fix(loader): support other node versions
  • d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
  • See full diff in compare view

Updates lint-staged from 17.0.7 to 17.0.8

Release notes

Sourced from lint-staged's releases.

v17.0.8

Patch Changes

  • #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

  • #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Changelog

Sourced from lint-staged's changelog.

17.0.8

Patch Changes

  • #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

  • #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Commits
  • 5f3b8f2 Merge pull request #1812 from lint-staged/changeset-release/main
  • 43a9b8d chore(changeset): release
  • 630e2f6 Merge pull request #1809 from lint-staged/restore-merge-status
  • 179b437 fix: restore Git merge status after creating backup stash
  • 6bae2e2 Merge pull request #1811 from lint-staged/exec-git-ignore-stderr
  • b82a830 ci: run npm audit omitting dev, including prod dependencies
  • 0b19b80 build(deps): update dependencies
  • 3d0b2c0 fix: ignore stderr when doing Git operations
  • See full diff in compare view

Updates prettier from 3.8.4 to 3.9.1

Release notes

Sourced from prettier's releases.

3.9.1

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.1

diff

CLI: Fix ignored file has been cached incorrectly (#19483 by @​kovsu)

Bug details prettier/prettier#18016

3.9.0

diff

🔗 Release Notes

3.8.5

diff

Flow: Support readonly as a variance annotation (#19022 by @​marcoww6)

Flow now accepts readonly as a property variance annotation, equivalent to + (covariant/read-only).

// Input
type T = {
  readonly foo: string,
};
// Prettier 3.8.4
SyntaxError
// Prettier 3.8.5
type T = {
readonly foo: string,
};

Commits

Updates react-doctor from 0.5.6 to 0.5.8

Release notes

Sourced from react-doctor's releases.

react-doctor@0.5.8

Patch Changes

  • #903 627f9ca Thanks @​rayhanadev! - Bound every long-running scan phase with a hard, runtime-independent timeout so a single wedged dependency socket, quadratic file, or starved event loop can no longer hang a scan for hours (production traces showed runInspect up to 16h and Linter.run up to 7.5h).

    • Binary-split cascade (spawnLintBatches): a cumulative split-time budget (OXLINT_SPLIT_TOTAL_BUDGET_MS, 3 min) and a recursion-depth cap (OXLINT_SPLIT_MAX_DEPTH, 8) now drop the remaining files of a pathological batch into the existing onPartialFailure / skippedCheckReasons["lint:partial"] channel instead of re-waiting a full spawn timeout at every split level.
    • Supply-chain check: a whole-check cap (SUPPLY_CHAIN_TOTAL_TIMEOUT_MS, 90s) fails open (no diagnostics) on a many-socket pileup that ignores the per-fetch abort — the same fail-open contract the per-package lookup already had.
    • Dead-code & lint phases: Effect-level caps (REACT_DOCTOR_DEAD_CODE_PHASE_TIMEOUT_MS, default 2.5 min; REACT_DOCTOR_LINT_PHASE_TIMEOUT_MS, default 5 min) sit above the existing per-unit timeouts and fold a timeout into the existing skipped-check / lint-failure contracts so the rest of the scan still completes. On interruption the dead-code worker and any in-flight oxlint subprocesses are SIGKILL'd (the AbortSignal is threaded down to both), so the cap actually reclaims the work instead of leaving orphaned processes running.
    • Overall deadline: REACT_DOCTOR_SCAN_DEADLINE_MS (default 15 min) backstops any phase not individually capped, raising the new ScanDeadlineExceeded reason on the ReactDoctorError union. It sits above the sum of the per-phase caps so a scan that legitimately uses those budgets degrades gracefully rather than hard-failing.

    All four caps are env-tunable so the budgets can be raised without a redeploy. The defaults sit well above measured p95, so only the pathological tail is affected — no behavior change for normal scans.

  • #903 627f9ca Thanks @​rayhanadev! - Run dead-code analysis sequentially by default and scale its timeout to the repo size — fixing a silent drop of all dead-code findings on large supply-chain scans.

    Dead-code (deslop reachability) is CPU-bound, like the oxlint lint pass. Running them concurrently oversubscribed the cores: deslop's parse pool and the oxlint pool each size to all cores, so together they demanded ~2x the cores, thrashed, and the parse pass missed its in-worker timeout. On a large repo (where the pass already runs near the cap) the supply-chain pass bleeding into the dead-code phase was enough to tip it over, and the fail-open path then silently dropped EVERY dead-code finding — observed dropping all ~349 findings on ~2/3 of supply-chain-on Sentry scans, with no user-visible error.

    Dead-code now runs strictly after lint with the full core budget — fastest per-phase and never oversubscribed (overlapping two CPU-bound passes buys no wall-clock anyway). REACT_DOCTOR_DEAD_CODE_OVERLAP=on still forces the overlap, but the two pools now SPLIT the core budget — deslop's parse pool is capped via the new DESLOP_PARSE_CONCURRENCY env and lint shrinks to the remainder — so they sum to the cores instead of doubling them.

    The dead-code phase + in-worker timeouts now scale with the project's source-file count (and inversely with the dead-code core share when overlapped) instead of a flat cap, so a large repo's legitimately-long pass isn't reclaimed before it finishes; the ceiling still reclaims a genuinely wedged worker, and an explicit REACT_DOCTOR_DEAD_CODE_PHASE_TIMEOUT_MS override is honored verbatim. This supersedes the previous memory-gated dead-code overlap and replaces the flat dead-code phase cap with the size-scaled budget.

  • #903 627f9ca Thanks @​rayhanadev! - Skip the deslop analysis passes whose output react-doctor discards — an ~8.5x speedup of the dead-code phase on large repos.

    react-doctor consumes only deslop's graph dead-code findings: unused files, unused exports, unused dependencies, and circular dependencies. The dead-code worker projects exactly those four off deslop's result (check-dead-code.ts normalizeResult); the other ~18 fields deslop computes never cross the worker boundary. Two of deslop's passes produce only discarded output and are the bulk of the runtime: the full-TypeScript-Program semantic pass (unused types / enum & class members / misclassified deps), and a set of code-quality detectors (duplicate-block / copy-paste detection, complexity hotspots, feature flags, TypeScript smells, private-type leaks, re-export cycles). Profiling a ~9k-file repo (Sentry) showed generateReport was ~90% of the phase and duplicate-block detection alone was ~83s of ~130s.

    deslop gains a reportCodeQuality flag (default true, so deslop used standalone is unchanged) that gates those six code-quality detectors — they were the only expensive detectors still running unconditionally while the cheaper redundancy detectors were already opt-in. react-doctor's dead-code worker now passes both semantic: { enabled: false } and reportCodeQuality: false.

    Measured on Sentry: deslop drops from ~132s to ~15.5s (8.5x) with byte-identical consumed findings (198 unused files, 10 unused exports, 4 unused deps, 137 cycles), and a full supply-chain-on scan drops from ~142s to ~40s. Skipping these is provably safe — each consumed finding comes from its own detector, independent of the disabled passes — and a parity test locks the invariant so a future deslop change that ever coupled a consumed finding to either pass fails CI first.

  • #903 627f9ca Thanks @​rayhanadev! - Diagnostics are now emitted in a deterministic order across runs (JSON report, terminal output, on-disk dump, and the agent handoff), so two runs of the same repo produce byte-identical ordering instead of the parallel lint pass's arrival order. Lint scans also schedule the largest source files first (LPT batch ordering) for better wall-clock on large repos — a free reordering using the file size the minified-file gate already stat'd. Set REACT_DOCTOR_LINT_BATCH_ORDERING=arrival to fall back to discovery order. The diagnostics array content (and the JSON schemaVersion) is unchanged — only the ordering becomes deterministic.

  • #906 8b91ac8 Thanks @​rayhanadev! - Fix the GitHub Actions setup flow opening duplicate PRs and bundling unrelated local changes (#904). Before creating a branch, openWorkflowPullRequest now checks for an already-open React Doctor setup PR and surfaces it instead of minting a second timestamped branch, and it bails when the working tree has tracked changes other than the workflow file (which git checkout -b + the whole-index git commit would otherwise sweep into the PR), falling back to staging the workflow file.

  • #903 627f9ca Thanks @​rayhanadev! - Memoize the large-minified-file stat/sniff so each source path is statted and content-sniffed at most once per process. A full scan enumerates the source tree more than once — countSourceFiles during discovery, listSourceFiles during the lint pass, and collectSecurityScanFiles during the env-check phase — and every ≥20KB candidate was statSync'd (plus a 64KB content read) on each walk. A module-scope path-keyed cache collapses that to a single stat/sniff per file, wired into the existing clearCaches() invalidation contract so long-running diagnose() consumers still re-read files that change between calls. Behavior is unchanged (identical diagnostics and sourceFileCount); this only removes redundant pre-lint syscalls on full scans.

  • #903 627f9ca Thanks @​rayhanadev! - Replace the fixed 16-worker lint ceiling with a memory-and-core-budgeted auto count (up to 32). The auto path now picks min(cores, floor(availableMemory / 1 GiB)) clamped to [1, 32], where availableMemory is os.totalmem() floored by the container's cgroup memory limit (read directly, since Node's memory APIs report the host total inside a container). os.freemem() is deliberately not used — it excludes reclaimable page cache and reads near-zero on macOS / cache-heavy Linux, which would have collapsed the default scan to a single worker.

    The 1 GiB/worker budget matches the per-worker footprint the old fixed-16 ceiling already tolerated (16 workers on a typical 16 GiB CI box), so machines with at least ~1 GiB per core stay core-bound and unchanged. A 32/64-core runner with enough memory now uses up to 32 workers instead of idling cores behind the old 16; a high-core but memory-starved box or container uses fewer workers so the oxlint native binding doesn't OOM (the existing EAGAIN/ENOMEM serial replay remains the runtime backstop). Past ~10 workers parallel efficiency already flattens, so this is headroom and OOM-safety, not a proportional speedup.

    The cgroup v2 limit is read from the mount-root memory.max, which is the container's limit under the standard cgroup-namespace setup CI runners use; a non-namespaced nested cgroup falls back to the host total (with the serial replay as the backstop).

    Note for diagnose({ projects }) batch scans: each project's lint pass is budgeted independently against the whole machine, so a batch (default 4 concurrent projects) can now spawn up to 4 × 32 concurrent oxlint processes on a large runner (was 4 × 16). The per-project EAGAIN/ENOMEM serial replay still backstops any over-subscription; dividing the per-project memory budget by the batch concurrency is a possible follow-up.

    Explicit REACT_DOCTOR_PARALLEL=N and inspect({ concurrency: N }) pins are now clamped to 32 (was 16). The [~N workers] scan suffix can show more than 16 on large runners, and the oxlint.workers telemetry distribution (plus the wide-event workerCount / parallel) now reports the real resolved worker count on the default auto path instead of only when a count was pinned.

  • #908 2cadd3f Thanks @​rayhanadev! - Add a once-per-repo migration that pins a mutable @main / @master React Doctor GitHub Action reference in .github/workflows/*.yml to the recommended floating major (@v2).

    An unpinned @main runs whatever the action's HEAD points to with the workflow's write permissions — a supply-chain risk (#299) — and the rewrite also moves the workflow onto the current install- and scan-cached action release. Pinned tags / commit SHAs are deliberate and left untouched, and a different action on @main (e.g. actions/checkout@main) is ignored. Runs once per repo like the legacy-config migration, rewrites only the ref (owner, comments, and the action's version: input are preserved), and logs the change for the user to review and commit (or revert if they intentionally track main).

  • #907 7e10716 Thanks @​rayhanadev! - Rework the CLI's per-user state tracking into a small lifecycle framework. All onboarding, growth, and migration state now lives behind one store (cli-state-store.ts) and one set of primitives (cli-lifecycle.ts): gates (fire once per machine or per repo, with an outcome and a version), migrations (run a code/config update once per repo, tracked), and invalidation (bump a gate's/migration's version to re-fire). Onboarding, the CI pitch, the action-upgrade offer, the agent install hint, and the legacy react-doctor.config.jsondoctor.config.ts migration are all expressed on it. The on-disk state file upgrades itself in place on first read, preserving every recorded answer — no user is re-prompted. No change to commands, flags, or output.

... (truncated)

Changelog

Sourced from react-doctor's changelog.

0.5.8

Patch Changes

  • #903 627f9ca Thanks @​rayhanadev! - Bound every long-running scan phase with a hard, runtime-independent timeout so a single wedged dependency socket, quadratic file, or starved event loop can no longer hang a scan for hours (production traces showed runInspect up to 16h and Linter.run up to 7.5h).

    • Binary-split cascade (spawnLintBatches): a cumulative split-time budget (OXLINT_SPLIT_TOTAL_BUDGET_MS, 3 min) and a recursion-depth cap (OXLINT_SPLIT_MAX_DEPTH, 8) now drop the remaining files of a pathological batch into the existing onPartialFailure / skippedCheckReasons["lint:partial"] channel instead of re-waiting a full spawn timeout at every split level.
    • Supply-chain check: a whole-check cap (SUPPLY_CHAIN_TOTAL_TIMEOUT_MS, 90s) fails open (no diagnostics) on a many-socket pileup that ignores the per-fetch abort — the same fail-open contract the per-package lookup already had.
    • Dead-code & lint phases: Effect-level caps (REACT_DOCTOR_DEAD_CODE_PHASE_TIMEOUT_MS, default 2.5 min; REACT_DOCTOR_LINT_PHASE_TIMEOUT_MS, default 5 min) sit above the existing per-unit timeouts and fold a timeout into the existing skipped-check / lint-failure contracts so the rest of the scan still completes. On interruption the dead-code worker and any in-flight oxlint subprocesses are SIGKILL'd (the AbortSignal is threaded down to both), so the cap actually reclaims the work instead of leaving orphaned processes running.
    • Overall deadline: REACT_DOCTOR_SCAN_DEADLINE_MS (default 15 min) backstops any phase not individually capped, raising the new ScanDeadlineExceeded reason on the ReactDoctorError union. It sits above the sum of the per-phase caps so a scan that legitimately uses those budgets degrades gracefully rather than hard-failing.

    All four caps are env-tunable so the budgets can be raised without a redeploy. The defaults sit well above measured p95, so only the pathological tail is affected — no behavior change for normal scans.

  • #903 627f9ca Thanks @​rayhanadev! - Run dead-code analysis sequentially by default and scale its timeout to the repo size — fixing a silent drop of all dead-code findings on large supply-chain scans.

    Dead-code (deslop reachability) is CPU-bound, like the oxlint lint pass. Running them concurrently oversubscribed the cores: deslop's parse pool and the oxlint pool each size to all cores, so together they demanded ~2x the cores, thrashed, and the parse pass missed its in-worker timeout. On a large repo (where the pass already runs near the cap) the supply-chain pass bleeding into the dead-code phase was enough to tip it over, and the fail-open path then silently dropped EVERY dead-code finding — observed dropping all ~349 findings on ~2/3 of supply-chain-on Sentry scans, with no user-visible error.

    Dead-code now runs strictly after lint with the full core budget — fastest per-phase and never oversubscribed (overlapping two CPU-bound passes buys no wall-clock anyway). REACT_DOCTOR_DEAD_CODE_OVERLAP=on still forces the overlap, but the two pools now SPLIT the core budget — deslop's parse pool is capped via the new DESLOP_PARSE_CONCURRENCY env and lint shrinks to the remainder — so they sum to the cores instead of doubling them.

    The dead-code phase + in-worker timeouts now scale with the project's source-file count (and inversely with the dead-code core share when overlapped) instead of a flat cap, so a large repo's legitimately-long pass isn't reclaimed before it finishes; the ceiling still reclaims a genuinely wedged worker, and an explicit REACT_DOCTOR_DEAD_CODE_PHASE_TIMEOUT_MS override is honored verbatim. This supersedes the previous memory-gated dead-code overlap and replaces the flat dead-code phase cap with the size-scaled budget.

  • #903 627f9ca Thanks @​rayhanadev! - Skip the deslop analysis passes whose output react-doctor discards — an ~8.5x speedup of the dead-code phase on large repos.

    react-doctor consumes only deslop's graph dead-code findings: unused files, unused exports, unused dependencies, and circular dependencies. The dead-code worker projects exactly those four off deslop's result (check-dead-code.ts normalizeResult); the other ~18 fields deslop computes never cross the worker boundary. Two of deslop's passes produce only discarded output and are the bulk of the runtime: the full-TypeScript-Program semantic pass (unused types / enum & class members / misclassified deps), and a set of code-quality detectors (duplicate-block / copy-paste detection, complexity hotspots, feature flags, TypeScript smells, private-type leaks, re-export cycles). Profiling a ~9k-file repo (Sentry) showed generateReport was ~90% of the phase and duplicate-block detection alone was ~83s of ~130s.

    deslop gains a reportCodeQuality flag (default true, so deslop used standalone is unchanged) that gates those six code-quality detectors — they were the only expensive detectors still running unconditionally while the cheaper redundancy detectors were already opt-in. react-doctor's dead-code worker now passes both semantic: { enabled: false } and reportCodeQuality: false.

    Measured on Sentry: deslop drops from ~132s to ~15.5s (8.5x) with byte-identical consumed findings (198 unused files, 10 unused exports, 4 unused deps, 137 cycles), and a full supply-chain-on scan drops from ~142s to ~40s. Skipping these is provably safe — each consumed finding comes from its own detector, independent of the disabled passes — and a parity test locks the invariant so a future deslop change that ever coupled a consumed finding to either pass fails CI first.

  • #903 627f9ca Thanks @​rayhanadev! - Diagnostics are now emitted in a deterministic order across runs (JSON report, terminal output, on-disk dump, and the agent handoff), so two runs of the same repo produce byte-identical ordering instead of the parallel lint pass's arrival order. Lint scans also schedule the largest source files first (LPT batch ordering) for better wall-clock on large repos — a free reordering using the file size the minified-file gate already stat'd. Set REACT_DOCTOR_LINT_BATCH_ORDERING=arrival to fall back to discovery order. The diagnostics array content (and the JSON schemaVersion) is unchanged — only the ordering becomes deterministic.

  • #906 8b91ac8 Thanks @​rayhanadev! - Fix the GitHub Actions setup flow opening duplicate PRs and bundling unrelated local changes (#904). Before creating a branch, openWorkflowPullRequest now checks for an already-open React Doctor setup PR and surfaces it instead of minting a second timestamped branch, and it bails when the working tree has tracked changes other than the workflow file (which git checkout -b + the whole-index git commit would otherwise sweep into the PR), falling back to staging the workflow file.

  • #903 627f9ca Thanks @​rayhanadev! - Memoize the large-minified-file stat/sniff so each source path is statted and content-sniffed at most once per process. A full scan enumerates the source tree more than once — countSourceFiles during discovery, listSourceFiles during the lint pass, and collectSecurityScanFiles during the env-check phase — and every ≥20KB candidate was statSync'd (plus a 64KB content read) on each walk. A module-scope path-keyed cache collapses that to a single stat/sniff per file, wired into the existing clearCaches() invalidation contract so long-running diagnose() consumers still re-read files that change between calls. Behavior is unchanged (identical diagnostics and sourceFileCount); this only removes redundant pre-lint syscalls on full scans.

  • #903 627f9ca Thanks @​rayhanadev! - Replace the fixed 16-worker lint ceiling with a memory-and-core-budgeted auto count (up to 32). The auto path now picks min(cores, floor(availableMemory / 1 GiB)) clamped to [1, 32], where availableMemory is os.totalmem() floored by the container's cgroup memory limit (read directly, since Node's memory APIs report the host total inside a container). os.freemem() is deliberately not used — it excludes reclaimable page cache and reads near-zero on macOS / cache-heavy Linux, which would have collapsed the default scan to a single worker.

    The 1 GiB/worker budget matches the per-worker footprint the old fixed-16 ceiling already tolerated (16 workers on a typical 16 GiB CI box), so machines with at least ~1 GiB per core stay core-bound and unchanged. A 32/64-core runner with enough memory now uses up to 32 workers instead of idling cores behind the old 16; a high-core but memory-starved box or container uses fewer workers so the oxlint native binding doesn't OOM (the existing EAGAIN/ENOMEM serial replay remains the runtime backstop). Past ~10 workers parallel efficiency already flattens, so this is headroom and OOM-safety, not a proportional speedup.

    The cgroup v2 limit is read from the mount-root memory.max, which is the container's limit under the standard cgroup-namespace setup CI runners use; a non-namespaced nested cgroup falls back to the host total (with the serial replay as the backstop).

    Note for diagnose({ projects }) batch scans: each project's lint pass is budgeted independently against the whole machine, so a batch (default 4 concurrent projects) can now spawn up to 4 × 32 concurrent oxlint processes on a large runner (was 4 × 16). The per-project EAGAIN/ENOMEM serial replay still backstops any over-subscription; dividing the per-project memory budget by the batch concurrency is a possible follow-up.

    Explicit REACT_DOCTOR_PARALLEL=N and inspect({ concurrency: N }) pins are now clamped to 32 (was 16). The [~N workers] scan suffix can show more than 16 on large runners, and the oxlint.workers telemetry distribution (plus the wide-event workerCount / parallel) now reports the real resolved worker count on the default auto path instead of only when a count was pinned.

  • #908 2cadd3f Thanks @​rayhanadev! - Add a once-per-repo migration that pins a mutable @main / @master React Doctor GitHub Action reference in .github/workflows/*.yml to the recommended floating major (@v2).

    An unpinned @main runs whatever the action's HEAD points to with the workflow's write permissions — a supply-chain risk (#299) — and the rewrite also moves the workflow onto the current install- and scan-cached action release. Pinned tags / commit SHAs are deliberate and left untouched, and a different action on @main (e.g. actions/checkout@main) is ignored. Runs once per repo like the legacy-config migration, rewrites only the ref (owner, comments, and the action's version: input are preserved), and logs the change for the user to review and commit (or revert if they intentionally track main).

  • #907 7e10716 Thanks @​rayhanadev! - Rework the CLI's per-user state tracking into a small lifecycle framework. All onboarding, growth, and migration state now lives behind one store (cli-state-store.ts) and one set of primitives (cli-lifecycle.ts): gates (fire once per machine or per repo, with an outcome and a version), migrations (run a code/config update once per repo, tracked), and invalidation (bump a gate's/migration's version to re-fire). Onboarding, the CI pitch, the action-upgrade offer, the agent install hint, and the legacy react-doctor.config.jsondoctor.config.ts migration are all expressed on it. The on-disk state file upgrades itself in place on first read, preserving every recorded answer — no user is re-prompted. No change to commands, flags, or output.

... (truncated)

Commits
  • f4e8e4b chore: version packages (#891)
  • 0b4f4f4 fix(action,core): address Cursor Bugbot findings on the CI-speedup PR (#909)
  • 2cadd3f perf(action,core): CI speedups — install cache, persistent scan caches, local...
  • 627f9ca perf: speed up large-repo scans + fix dead-code drop under supply-chain (#903)
  • 8b91ac8 fix: make GitHub Actions setup flow idempotent and stop bundling local change...
  • 7e10716 refactor(cli): unify onboarding/growth state into a lifecycle framework (#907)
  • 8bbcca8 chore: vendor deslop-js + deslop-cli into the monorepo (#880)
  • 96b5bb4 chore: version packages (#827)
  • 869f220 feat(cli): warn before mass-fixing a migration-scale bucket (#884)
  • a9d2713 feat(cli): group findings a single fix resolves into one root-cause task (#882)
  • Additional commits viewable in compare view

Updates turbo from 2.9.18 to 2.10.0

Release notes

Sourced from turbo's releases.

Turborepo v2.10.0

What's Changed

create-turbo

@​turbo/codemod

eslint

@​turbo/repository

@​turbo/telemetry

Examples

Changelog

... (truncated)

Commits
  • 12fb0d9 publish 2.10.0 to registry
  • a12323b release(turborepo): 2.9.19-canary.10 (#13130)
  • 65175fe fix: Hash selected dependency outputs instead of tasks (#13129)
  • 5ba8917 fix: Improve watch graceful shutdown (#13128)
  • 75ee2cc chore: Update to Rust 1.96.0 (#12974)
  • 6dccf5a fix: Restart deferred hash consumers in watch (#13127)
  • 4ebb50f feat: Add deferred hashing for task inputs (#13125)
  • 517e1a5 docs: Fix stderr debugging guidance (#13122)
  • 0220b35 fix: Respect task inputs when stopping interruptible persistent tasks in watc...
  • 6988692 fix: Add ComSpec and PATHEXT to default Windows env passthrough (#13114)
  • Additional commits viewable in compare view

Updates @base-ui/react from 1.5.0 to 1.6.0

Release notes

Sourced from @​base-ui/react's releases.

v1.6.0

General changes

Accordion

Alert Dialog

Autocomplete

Avatar

Checkbox

Checkbox Group

@dependabot
deps(web): bump the web-minor-patch group with 21 updates
5df354f 
Bumps the web-minor-patch group with 21 updates:

| Package | From | To |
| --- | --- | --- |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.61.0` | `1.61.1` |
| [lint-staged](https://github.com/lint-staged/lint-staged) | `17.0.7` | `17.0.8` |
| [prettier](https://github.com/prettier/prettier) | `3.8.4` | `3.9.1` |
| [react-doctor](https://github.com/millionco/react-doctor/tree/HEAD/packages/react-doctor) | `0.5.6` | `0.5.8` |
| [turbo](https://github.com/vercel/turborepo) | `2.9.18` | `2.10.0` |
| [@base-ui/react](https://github.com/mui/base-ui/tree/HEAD/packages/react) | `1.5.0` | `1.6.0` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.101.0` | `5.101.2` |
| [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) | `5.101.0` | `5.101.2` |
| [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) | `1.170.15` | `1.170.16` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.18.0` | `1.22.0` |
| [shadcn](https://github.com/shadcn-ui/ui/tree/HEAD/packages/shadcn) | `4.11.0` | `4.12.0` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.61.1` | `8.62.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.16` | `8.1.0` |
| [@tanstack/query-sync-storage-persister](https://github.com/TanStack/query/tree/HEAD/packages/query-sync-storage-persister) | `5.101.0` | `5.101.2` |
| [@tanstack/react-query-persist-client](https://github.com/TanStack/query/tree/HEAD/packages/react-query-persist-client) | `5.101.0` | `5.101.2` |
| [@tanstack/react-virtual](https://github.com/TanStack/virtual/tree/HEAD/packages/react-virtual) | `3.14.3` | `3.14.4` |
| [motion](https://github.com/motiondivision/motion) | `12.40.0` | `12.42.0` |
| [nanoid](https://github.com/ai/nanoid) | `5.1.11` | `5.1.16` |
| [recharts](https://github.com/recharts/recharts) | `3.8.1` | `3.9.0` |
| [shiki](https://github.com/shikijs/shiki/tree/HEAD/packages/shiki) | `4.2.0` | `4.3.0` |
| [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) | `6.0.2` | `6.0.3` |


Updates `@playwright/test` from 1.61.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.61.0...v1.61.1)

Updates `lint-staged` from 17.0.7 to 17.0.8
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](lint-staged/lint-staged@v17.0.7...v17.0.8)

Updates `prettier` from 3.8.4 to 3.9.1
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.1)

Updates `react-doctor` from 0.5.6 to 0.5.8
- [Release notes](https://github.com/millionco/react-doctor/releases)
- [Changelog](https://github.com/millionco/react-doctor/blob/main/packages/react-doctor/CHANGELOG.md)
- [Commits](https://github.com/millionco/react-doctor/commits/react-doctor@0.5.8/packages/react-doctor)

Updates `turbo` from 2.9.18 to 2.10.0
- [Release notes](https://github.com/vercel/turborepo/releases)
- [Changelog](https://github.com/vercel/turborepo/blob/main/RELEASE.md)
- [Commits](vercel/turborepo@v2.9.18...v2.10.0)

Updates `@base-ui/react` from 1.5.0 to 1.6.0
- [Release notes](https://github.com/mui/base-ui/releases)
- [Changelog](https://github.com/mui/base-ui/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mui/base-ui/commits/v1.6.0/packages/react)

Updates `@tanstack/react-query` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `@tanstack/react-query-devtools` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.101.2/packages/react-query-devtools)

Updates `@tanstack/react-router` from 1.170.15 to 1.170.16
- [Release notes](https://github.com/TanStack/router/releases)
- [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.170.16/packages/react-router)

Updates `lucide-react` from 1.18.0 to 1.22.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.22.0/packages/lucide-react)

Updates `shadcn` from 4.11.0 to 4.12.0
- [Release notes](https://github.com/shadcn-ui/ui/releases)
- [Changelog](https://github.com/shadcn-ui/ui/blob/main/packages/shadcn/CHANGELOG.md)
- [Commits](https://github.com/shadcn-ui/ui/commits/shadcn@4.12.0/packages/shadcn)

Updates `typescript-eslint` from 8.61.1 to 8.62.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.0/packages/typescript-eslint)

Updates `vite` from 8.0.16 to 8.1.0
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite)

Updates `@tanstack/query-sync-storage-persister` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/query-sync-storage-persister/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/query-sync-storage-persister@5.101.2/packages/query-sync-storage-persister)

Updates `@tanstack/react-query-persist-client` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-persist-client/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-persist-client@5.101.2/packages/react-query-persist-client)

Updates `@tanstack/react-virtual` from 3.14.3 to 3.14.4
- [Release notes](https://github.com/TanStack/virtual/releases)
- [Changelog](https://github.com/TanStack/virtual/blob/main/packages/react-virtual/CHANGELOG.md)
- [Commits](https://github.com/TanStack/virtual/commits/@tanstack/react-virtual@3.14.4/packages/react-virtual)

Updates `motion` from 12.40.0 to 12.42.0
- [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md)
- [Commits](motiondivision/motion@v12.40.0...v12.42.0)

Updates `nanoid` from 5.1.11 to 5.1.16
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@5.1.11...5.1.16)

Updates `recharts` from 3.8.1 to 3.9.0
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v3.8.1...v3.9.0)

Updates `shiki` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/shikijs/shiki/releases)
- [Commits](https://github.com/shikijs/shiki/commits/v4.3.0/packages/shiki)

Updates `@vitejs/plugin-react` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

---
updated-dependencies:
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: lint-staged
  dependency-version: 17.0.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: prettier
  dependency-version: 3.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: react-doctor
  dependency-version: 0.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: turbo
  dependency-version: 2.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: "@base-ui/react"
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/react-query-devtools"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/react-router"
  dependency-version: 1.170.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: lucide-react
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: shadcn
  dependency-version: 4.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: typescript-eslint
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: vite
  dependency-version: 8.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/query-sync-storage-persister"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/react-query-persist-client"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: "@tanstack/react-virtual"
  dependency-version: 3.14.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: motion
  dependency-version: 12.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: nanoid
  dependency-version: 5.1.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
- dependency-name: recharts
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: shiki
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-minor-patch
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: web-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, frontend. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

React Doctor found no issues. 🎉

Reviewed by React Doctor for commit 5df354f.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants