SP-3565: Update dependencies#140
Conversation
📝 WalkthroughWalkthroughUpdates project to Node 24: package version and engine, build target, action runtime, and workflow uploader. Bumps ChangesRuntime, deps, and test wiring
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 SCANOSS Code Similarity Detected📄 1 snippet matches found 🔗 View detailed findings on commit 96ef510 Files with similarities:
💡 Click the commit link above to see detailed annotations for each match. |
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 80: The devDependency "`@types/node`" in package.json is set to "^25.3.5"
which permits TypeScript to accept newer Node APIs not available on the declared
runtime "node>=20"; change the package.json entry for "`@types/node`" to a major
version that matches the runtime floor (e.g., "^20.x" or "20.x") so types
reflect Node 20 APIs, then run package manager install to update lockfile and
rebuild types; target the "`@types/node`" declaration in package.json when making
this edit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 758406be-f996-4845-b1e6-d80f3571e9cb
⛔ Files ignored due to path filters (3)
dist/index.jsis excluded by!**/dist/**dist/licenses.txtis excluded by!**/dist/**package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
package.json
| "@octokit/types": "^15.0.0", | ||
| "@types/jest": "^29.5.12", | ||
| "@types/node": "^20.11.20", | ||
| "@types/node": "^25.3.5", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n package.json | head -100 | tail -80Repository: scanoss/gha-code-scan
Length of output: 2644
🌐 Web query:
@types/node versioning scheme Node 20 Node 25 compatibility
💡 Result:
The @types/node package follows a versioning scheme where the major and minor versions correspond to the Node.js version they are intended to support [1][2]. For example, @types/node version 20.x.x provides type definitions for Node.js 20, and version 25.x.x provides definitions for Node.js 25 [3][4]. Because these packages are maintained by the community via DefinitelyTyped, they are updated independently of the Node.js release cycle [3][5]. While the major and minor versions are designed to match the target Node.js version, the patch version of @types/node is used to manage updates, bug fixes, and improvements to the type definitions themselves, rather than tracking the specific patch version of the Node.js runtime [3][4]. In practice, you should install the version of @types/node that matches the major and minor version of the Node.js runtime you are using in your project [1][2]. If you are using Node.js 20, you should use @types/node version 20.x.x; if you are using Node.js 25, you should use @types/node version 25.x.x [3][4]. Using a version of @types/node that does not match your Node.js runtime may result in type errors or missing definitions for APIs that were added or removed in specific Node.js releases [1][2].
Citations:
- 1: https://stackoverflow.com/questions/42035263/relationship-between-the-version-of-node-js-and-the-version-of-types-node
- 2: https://stackoverflow.com/questions/42035263/relationship-between-the-version-of-node-js-and-the-version-of-types-node/52404327
- 3: https://www.npmjs.com/package/@types/node?activeTab=versions
- 4: https://registry.npmjs.org/@types/node
- 5: How is @nodes/types versions related to NodeJs version? DefinitelyTyped/DefinitelyTyped#42640
🌐 Web query:
@types/node 20.19.0 npm package version
💡 Result:
The @types/node package version 20.19.0 is a set of TypeScript type definitions corresponding to Node.js version 20.19.0 [1][2]. It was published to the npm registry in June 2025 [1][3]. Key details regarding this package and version include: Purpose: The @types/node package provides TypeScript type definitions for Node.js APIs, allowing developers to use TypeScript with Node.js projects [1][4]. Versioning Strategy: The @types/node package follows a versioning scheme where the major and minor versions align with the corresponding Node.js release [5]. The patch version (e.g.,.0 in 20.19.0) is managed by the DefinitelyTyped project and is incremented independently as updates to the type definitions are published [5]. Context: Node.js 20.19.0 was released on March 13, 2025, as an LTS (Long Term Support) version [2]. As of May 18, 2026, Node.js 20 has reached its official end-of-life (EOL), which occurred on April 30, 2026 [6]. Usage: It is typically installed as a development dependency using the command npm install --save-dev @types/node [1][5]. Because the @types/node package is frequently updated to reflect changes in the Node.js ecosystem, newer versions (such as 20.19.41 as of May 2026) are available and generally recommended for projects still utilizing the Node.js 20 runtime [1][5].
Citations:
- 1: https://www.npmjs.com/package/@types/node
- 2: https://nodejs.org/en/blog/release/v20.19.0
- 3: https://deps.dev/npm/%40types%2Fnode/18.16.0/versions
- 4: https://npmx.dev/package/@types/node/v/20.19.39
- 5: https://libraries.io/npm/@types%2Fnode
- 6: https://dev.to/endoflifeai/nodejs-end-of-life-dates-official-eol-schedule-for-every-version-6do
Align @types/node major with declared runtime floor.
@types/node is currently ^25.3.5, but the runtime contract is Node >=20 (line 26). Using @types/node v25 allows newer Node APIs to type-check while failing at runtime on Node 20.
Suggested fix
- "`@types/node`": "^25.3.5",
+ "`@types/node`": "^20.19.0",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "@types/node": "^25.3.5", | |
| "`@types/node`": "^20.19.0", |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 80, The devDependency "`@types/node`" in package.json is
set to "^25.3.5" which permits TypeScript to accept newer Node APIs not
available on the declared runtime "node>=20"; change the package.json entry for
"`@types/node`" to a major version that matches the runtime floor (e.g., "^20.x"
or "20.x") so types reflect Node 20 APIs, then run package manager install to
update lockfile and rebuild types; target the "`@types/node`" declaration in
package.json when making this edit.
…Upgraded Node.js to 24. Updated CHANGELOG.md. Added __mocks__/** as test files.
🔍 SCANOSS Code Similarity Detected📄 1 snippet matches found 🔗 View detailed findings on commit 7dcbaae Files with similarities:
💡 Click the commit link above to see detailed annotations for each match. |
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
🔍 SCANOSS Code Similarity Detected📄 1 snippet matches found 🔗 View detailed findings on commit 08cb65c Files with similarities:
💡 Click the commit link above to see detailed annotations for each match. |
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
There was a problem hiding this comment.
♻️ Duplicate comments (1)
package.json (1)
80-80:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAlign
@types/nodemajor with the declared runtime floor.Line 80 sets
@types/nodeto^25.3.5while Line 26 allows Node>=24; this can let Node 25-only APIs pass type-checking while still failing on Node 24 at runtime.Suggested fix
- "`@types/node`": "^25.3.5", + "`@types/node`": "^24.0.0",#!/bin/bash set -euo pipefail python - <<'PY' import json, re with open("package.json", "r", encoding="utf-8") as f: p = json.load(f) engine = p.get("engines", {}).get("node", "") types = p.get("devDependencies", {}).get("`@types/node`", "") def major(v): m = re.search(r'(\d+)', v or "") return int(m.group(1)) if m else None engine_major = major(engine) types_major = major(types) print(f"engines.node = {engine} (major: {engine_major})") print(f"`@types/node` = {types} (major: {types_major})") if engine_major is not None and types_major is not None and types_major != engine_major: print("Mismatch detected: `@types/node` major differs from runtime floor major.") else: print("No major-version mismatch detected.") PY🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` at line 80, The devDependency `@types/node` (currently ^25.3.5) is a higher major than the declared runtime floor in engines.node (>=24), so update package.json to align majors: change devDependencies["`@types/node`"] to a 24.x range (e.g., ^24.0.0) so type checks target the runtime floor; after editing package.json run npm/yarn install and update any CI or lockfile accordingly to ensure types and runtime major versions match.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@package.json`:
- Line 80: The devDependency `@types/node` (currently ^25.3.5) is a higher major
than the declared runtime floor in engines.node (>=24), so update package.json
to align majors: change devDependencies["`@types/node`"] to a 24.x range (e.g.,
^24.0.0) so type checks target the runtime floor; after editing package.json run
npm/yarn install and update any CI or lockfile accordingly to ensure types and
runtime major versions match.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 83efc534-3784-4947-8803-044b1193f182
⛔ Files ignored due to path filters (2)
dist/index.jsis excluded by!**/dist/**package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (10)
.github/workflows/check-dist.yml.node-versionCHANGELOG.md__mocks__/@actions/core.ts__tests__/dep-track-policy-check.test.tsaction.ymlesbuild.config.mjseslint.config.mjspackage.jsontsconfig.json
✅ Files skipped from review due to trivial changes (7)
- .node-version
- .github/workflows/check-dist.yml
- esbuild.config.mjs
- CHANGELOG.md
- eslint.config.mjs
- tsconfig.json
- mocks/@actions/core.ts
🔍 SCANOSS Code Similarity Detected📄 1 snippet matches found 🔗 View detailed findings on commit 1e6dafd Files with similarities:
💡 Click the commit link above to see detailed annotations for each match. |
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@CHANGELOG.md`:
- Line 13: Fix the package name typo in the changelog by replacing the string
"eslint-plugin jest" with the correct package name "eslint-plugin-jest" (update
the entry that currently reads "Upgraded eslint-plugin jest to 29.15.2" so it
reads "Upgraded eslint-plugin-jest to 29.15.2").
- Line 10: Add a missing reference definition for the release tag [1.6.3] used
in the changelog: locate the other version reference links at the bottom of the
file (the pattern like [1.6.2]: https://...) and add a new line defining [1.6.3]
with the appropriate release URL or commit/tag link (e.g., [1.6.3]:
<release/compare or tag URL>) so the in-text `[1.6.3]` entry resolves correctly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3c0f7c84-795e-4552-83be-2cc979ed659a
📒 Files selected for processing (3)
.github/workflows/ci.ymlCHANGELOG.mdREADME.md
✅ Files skipped from review due to trivial changes (2)
- .github/workflows/ci.yml
- README.md
|
|
||
| ## [Unreleased] | ||
|
|
||
| ## [1.6.3] - 2026-05-18 |
There was a problem hiding this comment.
Add the missing 1.6.3 release reference link.
Line 10 introduces [1.6.3], but there’s no matching reference definition at the bottom of the file, so this entry won’t link like prior versions.
Suggested patch
+[1.6.3]: https://github.com/scanoss/gha-code-scan/compare/v1.6.2...v1.6.3🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG.md` at line 10, Add a missing reference definition for the release
tag [1.6.3] used in the changelog: locate the other version reference links at
the bottom of the file (the pattern like [1.6.2]: https://...) and add a new
line defining [1.6.3] with the appropriate release URL or commit/tag link (e.g.,
[1.6.3]: <release/compare or tag URL>) so the in-text `[1.6.3]` entry resolves
correctly.
| ## [1.6.3] - 2026-05-18 | ||
| ### Changed | ||
| - Upgraded Node.js to 24 | ||
| - Upgraded eslint-plugin jest to 29.15.2 |
There was a problem hiding this comment.
Fix package name typo in changelog text.
Line 13 says eslint-plugin jest; package name should be eslint-plugin-jest.
Suggested patch
-- Upgraded eslint-plugin jest to 29.15.2
+- Upgraded eslint-plugin-jest to 29.15.2📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - Upgraded eslint-plugin jest to 29.15.2 | |
| - Upgraded eslint-plugin-jest to 29.15.2 |
🧰 Tools
🪛 LanguageTool
[grammar] ~13-~13: Use a hyphen to join words.
Context: ...d Node.js to 24 - Upgraded eslint-plugin jest to 29.15.2 - Upgraded @types/node t...
(QB_NEW_EN_HYPHEN)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG.md` at line 13, Fix the package name typo in the changelog by
replacing the string "eslint-plugin jest" with the correct package name
"eslint-plugin-jest" (update the entry that currently reads "Upgraded
eslint-plugin jest to 29.15.2" so it reads "Upgraded eslint-plugin-jest to
29.15.2").
|
|
||
| ## [Unreleased] | ||
|
|
||
| ## [1.6.3] - 2026-05-18 |
There was a problem hiding this comment.
Please add the reference version at the bottom of the file
| ## [1.6.3] - 2026-05-18 | ||
| ### Changed | ||
| - Upgraded Node.js to 24 | ||
| - Upgraded eslint-plugin jest to 29.15.2 |
There was a problem hiding this comment.
Please fix typo. It should be eslint-plugin-jest
| - Added __mocks__/@actions/core.ts to mock @actions/core for tests | ||
| - Updated actions/checkout to v6 in README.md | ||
| ### Fixed | ||
| - Changed 'code-scan-action' to 'gha-code-scan' in README.md |
There was a problem hiding this comment.
Could you also add a note to README.md recommending users migrate to scanoss/gha-code-scan? The rename redirect keeps old references working, but we should point users to the canonical name.
2 participants
Summary by CodeRabbit