chore(deps-dev): Bump the npm group with 2 updates#63
Conversation
Bumps the npm group with 2 updates: [@vercel/ncc](https://github.com/vercel/ncc) and [prettier](https://github.com/prettier/prettier). Updates `@vercel/ncc` from 0.38.4 to 0.44.0 - [Release notes](https://github.com/vercel/ncc/releases) - [Commits](vercel/ncc@0.38.4...0.44.0) Updates `prettier` from 3.8.3 to 3.8.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.8.3...3.8.4) --- updated-dependencies: - dependency-name: "@vercel/ncc" dependency-version: 0.44.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: prettier dependency-version: 3.8.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — routine dev-only dependency bumps (ncc and prettier patches), no runtime impact.
Extended reasoning...
Overview
This PR bumps two dev dependencies via Dependabot: @vercel/ncc from 0.38.4 to 0.44.0 and prettier from 3.8.3 to 3.8.4. Only package.json and pnpm-lock.yaml are touched.
Security risks
None identified. These are dev-only build/formatting tools. One ncc release note even mentions a security fix (predictable global cache directory in /tmp). Maintainer attribution shifts to GitHub Actions / OIDC trusted publishing, which is a positive signal.
Level of scrutiny
Low scrutiny appropriate. The ncc bump crosses several minors and includes a breaking change (drops Node 20, adds Node 24/26 support), but package.json already declares engines.node: >=24, so the breaking change is compatible. The extension-resolution reorder (TS over JSON) and TypeScript 6 transpile support also align with this repo, which uses TypeScript 6.0.3. Prettier is a patch release for a markdown list-rendering fix.
Other factors
The bug hunting system found no issues. check-dist and the test/typecheck/lint suite will catch any practical regressions caused by the ncc upgrade since the action ships a bundled dist directory. No outstanding reviewer comments. Standard dependabot upgrade.
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
Bumps the npm group with 2 updates: @vercel/ncc and prettier.
Updates
@vercel/nccfrom 0.38.4 to 0.44.0Release notes
Sourced from @vercel/ncc's releases.
Commits
88be21fchore(deps): Bump actions/checkout from 5 to 6 (#1300)5ea625efeat: read permissions pr.yml (#1323)a1ff315feat: remove npm devDependency (#1332)9e077abfeat: add publishConfig to package.json (#1331)7290aa7feat(ci): upgrade python and remove LLVM LTO flags from MSVC build to fix Nod...a428a10feat: publish using node@24 (#1329)3192116feat: use canonical package repository metadata (#1328)4461a52feat: lock semantic-release publish dependencies (#1327)e00b2defeat: switch npm releases to trusted publishing (OIDC) (#1325)5f8f509feat: delete .github/CODEOWNERS (#1324)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@vercel/nccsince your current version.Updates
prettierfrom 3.8.3 to 3.8.4Release notes
Sourced from prettier's releases.
Changelog
Sourced from prettier's changelog.
Commits
1c6ba55Release 3.8.44a673dcFix blank lines between list items and nested sub-lists being removed in Mark...074aaedReplacemainbranch in changelog link with tags (#19054)c22a003Bump Prettier dependency to 3.8.307bad1fClean changelog_unreleasedDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions