|
| 1 | +# Dependency Migration Report |
| 2 | + |
| 3 | +**Date**: 2026-02-22 |
| 4 | +**Branch**: `chore/deps-upgrade-2026-02-22` |
| 5 | +**Baseline commit**: `492f199` |
| 6 | +**Runtime**: Node 20.19.6, npm 10.8.2 |
| 7 | + |
| 8 | +## Changes Applied |
| 9 | + |
| 10 | +| Package | From | To | Bump | Dependabot PR | |
| 11 | +|---------|------|----|------|---------------| |
| 12 | +| `@types/node` | 20.19.30 | 20.19.33 | patch | — | |
| 13 | +| `@typescript-eslint/eslint-plugin` | 8.54.0 | 8.56.0 | minor | #19 | |
| 14 | +| `@typescript-eslint/parser` | 8.54.0 | 8.56.0 | minor | #18 | |
| 15 | +| `typescript-eslint` | 8.54.0 | 8.56.0 | minor | #20 | |
| 16 | + |
| 17 | +## Validation Results |
| 18 | + |
| 19 | +| Gate | Status | |
| 20 | +|------|--------| |
| 21 | +| `prettier --check` | Pass | |
| 22 | +| `eslint` | Pass | |
| 23 | +| `tsc --noEmit` | Pass | |
| 24 | +| `vitest run` (261 tests) | Pass | |
| 25 | +| `npm run build:all` (4 bundles) | Pass | |
| 26 | + |
| 27 | +## Deferred Upgrades |
| 28 | + |
| 29 | +### eslint 9.39.2 → 10.0.0 (PR #17) |
| 30 | + |
| 31 | +Major version with significant breaking changes: |
| 32 | +- Removed deprecated `SourceCode` methods and rule context methods |
| 33 | +- Removed eslintrc support (flat config only — already in use here) |
| 34 | +- New Node.js engine requirement: `^20.19.0 || ^22.13.0 || >=24` |
| 35 | +- Updated `eslint:recommended` configuration |
| 36 | +- Replaced `chalk` with `styleText` |
| 37 | + |
| 38 | +**Recommendation**: Dedicate a separate PR. The eslint config already uses flat |
| 39 | +config, so the migration should be straightforward, but `@eslint/js`, |
| 40 | +`typescript-eslint`, and `eslint-config-prettier` will all need compatible |
| 41 | +versions verified. |
| 42 | + |
| 43 | +### @types/node 20.19.30 → 25.2.3 (PR #21) |
| 44 | + |
| 45 | +Major version jump from Node 20 types to Node 25 types. Since `action.yml` |
| 46 | +uses the `node20` runtime, `.nvmrc` specifies `20`, and `engines` says `>=20`, |
| 47 | +this would provide type definitions for APIs unavailable in the actual runtime. |
| 48 | + |
| 49 | +**Recommendation**: Keep on the `@types/node@20.x` track. Close PR #21 or |
| 50 | +configure dependabot to ignore major bumps on this package. |
| 51 | + |
| 52 | +### undici + fast-xml-parser (PR #23 — security) |
| 53 | + |
| 54 | +These are transitive dependencies nested inside `@actions/artifact@5.x`. The |
| 55 | +`undici` vulnerability (GHSA-g9mf-h72j-4rw9, CVE-2026-22036) is moderate |
| 56 | +severity (unbounded decompression chain). Fixing requires `@actions/artifact@6`, |
| 57 | +which is a breaking change. |
| 58 | + |
| 59 | +19 vulnerabilities remain in the `@actions/artifact` transitive tree (archiver, |
| 60 | +minimatch, undici). All require a major bump to `@actions/artifact` to resolve. |
| 61 | + |
| 62 | +**Recommendation**: Upgrade `@actions/artifact` to v6 in a dedicated PR with |
| 63 | +API migration review. |
| 64 | + |
| 65 | +## Rollback |
| 66 | + |
| 67 | +```bash |
| 68 | +git checkout 492f199 -- package.json package-lock.json |
| 69 | +npm install |
| 70 | +npm run build:all |
| 71 | +``` |
| 72 | + |
| 73 | +## CI Workflows |
| 74 | + |
| 75 | +The following GitHub Actions workflows should pass on this branch: |
| 76 | +- `ci.yml` (lint, typecheck, test, build) |
| 77 | +- `self-test.yml` (action self-test scenarios) |
0 commit comments