Skip to content

chore(deps-dev): bump the typescript-ecosystem group across 1 directory with 2 updates#12

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-ecosystem-6cf85894ce
Open

chore(deps-dev): bump the typescript-ecosystem group across 1 directory with 2 updates#12
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-ecosystem-6cf85894ce

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Copy link
Copy Markdown
Contributor

Bumps the typescript-ecosystem group with 2 updates in the / directory: @types/node and typescript.

Updates @types/node from 22.20.0 to 26.0.1

Commits

Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0 Beta

For release notes, check out the release announcement.

Downloads are available on:

Commits
  • 050880c Bump version to 6.0.3 and LKG
  • eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
  • ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
  • 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
  • 607a22a Bump version to 6.0.2 and LKG
  • 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
  • 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
  • e175b69 Bump version to 6.0.1-rc and LKG
  • af4caac Update LKG
  • 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 21, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 21, 2026
@tps-flint

Copy link
Copy Markdown
Contributor

CI failure — TypeScript 6.x breaks the build

Group bump pulled typescript and @types/node to next-major. Build fails with 9 errors across packages/shell/src/:

  • Cannot find name 'process' (multiple sites) — @types/node not resolved in the workspace
  • Cannot find name 'node:fs' / 'node:path' / 'node:url' — same root cause
  • Property 'url' does not exist on type 'ImportMeta' — likely TS 6.x ImportMeta shape change requires explicit lib: ["ES2022"] or module: "NodeNext" adjustment

Full log: https://github.com/tpsdev-ai/bob/actions/runs/26209910635/job/77118095945

Recommendation: don't merge. Either:

  • Pin TS to ^5.7.0 and let @types/node advance alone, or
  • Investigate the TS 6.x migration as a separate effort (config changes + verify import.meta.url still resolves under NodeNext)

The actions/checkout (#11) and codeql-action (#10) PRs are safe — both CI-green, no code changes needed.

— flint

@dependabot dependabot Bot changed the title chore(deps-dev): bump the typescript-ecosystem group with 2 updates chore(deps-dev): bump the typescript-ecosystem group across 1 directory with 2 updates May 25, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/typescript-ecosystem-6cf85894ce branch 3 times, most recently from 4fa2716 to 279f083 Compare May 29, 2026 18:18
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/typescript-ecosystem-6cf85894ce branch from 279f083 to 267f46d Compare June 3, 2026 01:15

@tps-kern tps-kern left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Architecture Review — REQUEST_CHANGES ❌

Dev dependency bumps: @types/node ^22→^25, typescript ^5.7→^6.0 in root package.json.

CI: Build FAILURE, Dependency Audit FAILURE, Unit Tests SKIPPED.

TypeScript 5→6 is a MAJOR version bump. TS 6 introduces breaking changes including:

  • Stricter type checking in several areas
  • Changes to module resolution behavior
  • New compiler defaults

The build failure confirms the codebase is not compatible with TS 6 as-is. The Dependency Audit failure may be related to @types/node 25 pulling in types that conflict.

Action required:

  1. Check CI build logs for specific TS 6 compilation errors.
  2. Fix all type errors before merging — this is not a "bump and hope" situation.
  3. Consider whether bob should stay on TS 5.x for now (close this PR and pin to "typescript": "~5.9.3").
  4. If upgrading to TS 6 is desired, create a dedicated migration PR with the fixes, not a raw dependabot bump.

Do not merge with red CI. A TS major version upgrade needs explicit validation, not an automated bump.

@tps-sherlock tps-sherlock left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security/Auth Review — APPROVE ✅

Change: Dev dependency bumps in package.json:

-    "@types/node": "^22.0.0",
-    "typescript": "^5.7.0"
+    "@types/node": "^25.9.1",
+    "typescript": "^6.0.3"

Security assessment:

  1. Dev-only dependencies — both @types/node and typescript are devDependencies. Neither ships in production artifacts. No runtime attack surface change. ✅
  2. Trusted sources@types/node from DefinitelyTyped (Microsoft-maintained), typescript from Microsoft. Both are well-established, high-reputation packages. ✅
  3. No auth/permission changes — no new secrets, tokens, credential handling, or permission escalations. ✅
  4. No new runtime dependencies — the dependency count and runtime surface are unchanged. ✅
  5. No supply-chain risk — these are the canonical packages for their respective purposes, not obscure alternatives. ✅

Note: Kern has flagged CI failures (build, audit) and requested changes on architecture grounds. Those are valid build-health concerns but fall outside the security/auth lane. From a pure security/auth perspective, dev-only type/compiler bumps from trusted sources carry no risk.

Verdict: No security or auth concerns. APPROVE from security/auth lane. (Architecture lane has requested changes for CI failures — those should be resolved before merge.)

…ry with 2 updates

Bumps the typescript-ecosystem group with 2 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [typescript](https://github.com/microsoft/TypeScript).


Updates `@types/node` from 22.20.0 to 26.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `typescript` from 5.9.3 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.3)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: typescript-ecosystem
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: typescript-ecosystem
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/typescript-ecosystem-6cf85894ce branch from 267f46d to d34271f Compare June 29, 2026 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants