build(deps-dev): bump the testing group across 1 directory with 3 updates#384
Merged
Merged
Conversation
dependabot
Bot
added
the
dependencies
Collaborator
|
@dependabot rebase |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/testing-3926fea3e4
branch
from
73e23a5 to
dfae92e
Compare
Collaborator
|
@dependabot recreate |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/testing-3926fea3e4
branch
from
dfae92e to
02ed29a
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/testing-3926fea3e4
branch
from
02ed29a to
e02dfca
Compare
…ates Bumps the testing group with 3 updates in the / directory: [@playwright/test](https://github.com/microsoft/playwright), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Updates `@playwright/test` from 1.59.1 to 1.60.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.59.1...v1.60.0) Updates `@vitest/coverage-v8` from 4.1.4 to 4.1.6 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/coverage-v8) Updates `vitest` from 4.1.4 to 4.1.6 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/vitest) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.60.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: testing - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: testing - dependency-name: vitest dependency-version: 4.1.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: testing ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/testing-3926fea3e4
branch
from
e02dfca to
216ea24
Compare
julianken-bot
previously approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE
Verification ledger
gh pr view 384— HEADd1ad157ondependabot/npm_and_yarn/testing-3926fea3e4, basefe7d830, mergeable, not draft.gh pr diff 384— 2 files:package.json(3 minor version bumps, dev-only),pnpm-lock.yaml(regenerated graph).git log fe7d830..d1ad157— 2 commits: Dependabot bump216ea24, then Julian's lockfile fixd1ad157.git show d1ad157— fix touches 3 lines ofpnpm-lock.yamlonly; replaces sha256-hexpatch_hash(Dependabot's pnpm 10+ output,96ac089b...64chars) with base32 short hashnxvyby6r4isjnouuw656h2bwdimatchingmainand pnpm 9's hash format.git diff fe7d830..d1ad157 -- patches/— empty (patch file content unchanged, only the lockfile reference to it).git show fe7d830:pnpm-lock.yaml | grep patch_hash— confirmsmainalready uses base32nxvyby6r4isjnouuw656h2bwdi(same value on disk now), so the fix restores byte-for-byte the same hash format CI expects.pnpm --version→9.15.9locally;Dockerfileline 2 pinscorepack prepare pnpm@9 --activate— runtime and lockfile format match.gh pr view 384 --json statusCheckRollup— all 12 required checks SUCCESS (ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL, E2E Shards 1/4–4/4); CodeQL Analysis SUCCESS; Mergify queue NEUTRAL (expected, not yet queued).
Findings ToC
- SUGGESTION: pin
packageManagerinpackage.jsonto prevent recurring Dependabot lockfile-format drift (followup, out of scope for this PR)
What's specifically right
- The fix was scoped surgically: 3 lines of lockfile, no spec change, no package.json touch, no pnpm version change. That's the minimum diff that resolves the CI failure.
- The chosen resolution path (local pnpm 9 regeneration) is the correct one —
@dependabot recreateproduced the wrong format because Dependabot's environment uses pnpm 10, and there is no way to override that from within a PR. Recognizing this and bypassing the recreate loop saved an iteration. - The patch file
patches/next-view-transitions.patchitself was not modified — confirms the underlying patched dependency content is unchanged; only the hash representation differs between pnpm versions, not the patch content.
Bottom line
Single-commit fix on top of a clean Dependabot devDependency bump (3 testing packages, all minor). CI fully green on the post-fix HEAD. Safe to queue.
— @julianken-bot (opus, fresh context)
| @@ -49,7 +49,7 @@ | |||
| "devDependencies": { | |||
| "@ai-sdk/openai": "^1", | |||
Collaborator
There was a problem hiding this comment.
SUGGESTION — followup, not blocking this PR.
This same CI failure will recur on every Dependabot dev-deps PR as long as Dependabot's bot environment uses a different pnpm major than main's lockfile. Each future Dependabot PR will regenerate patch_hash here in pnpm 10's sha256-hex format and break --frozen-lockfile.
Structural fix (separate followup PR): add a packageManager: "pnpm@9.15.9" field to package.json. Once that's present, corepack will force Dependabot's own CI to use pnpm 9 when it runs pnpm install on the bumped branch, so the regenerated hash will already be in the base32 format matching main and the Dockerfile — no Julian-side manual regeneration needed.
R9 note: this is plan-controlled (a repo-level Dependabot/toolchain decision), not implementer-controlled for this PR. Filing here as a SUGGESTION because the friction is recurring and the fix is mechanical (one line + a Dependabot config update).
Collaborator
|
@Mergifyio queue |
Contributor
Merge Queue Status🛑 Queue command has been cancelled |
# Conflicts: # pnpm-lock.yaml
julianken-bot
previously approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE (re-review after rebase + lockfile regen)
Verification ledger
gh pr view 384— HEAD36dbff2ondependabot/npm_and_yarn/testing-3926fea3e4, base65febfb, mergeable, not draft. Prior bot APPROVE ond1ad157was dismissed when the merge commit landed (branch-protection behavior, expected).git log fe7d830..36dbff2— branch history:216ea24Dependabot bump →d1ad157Julian lockfile fix (pnpm 9 base32 hash) →36dbff2merge oforigin/main(carrying #372 graphql + #222 jsdom). Merge author Julian via noreply email; conflict inpnpm-lock.yamlonly, as stated.git diff origin/main..36dbff2 --stat— 2 files:package.json(+3/-3) andpnpm-lock.yaml(+131/-129). Diff vs current main matches the dispatcher's claim exactly: testing-group package.json bumps + reconciled lockfile.git diff origin/main..36dbff2 -- package.json— exactly 3 specifier bumps:@playwright/test^1.59.1→^1.60.0,@vitest/coverage-v8^4.1.4→^4.1.6,vitest^4.1.4→^4.1.6. No additions or removals.- Lockfile transitives audit —
playwright/playwright-core1.59→1.60 (direct), plus vitest 4.1.6's closure:magicast0.5.2→0.5.3,tinyexec1.0.2→1.1.2,es-module-lexer2.0.0→2.1.0,semver7.7.4→7.8.0,@babel/parser@7.29.3added,@types/estree@1.0.9added,picomatch@4.0.3removed (4.0.4 retained),tinyglobby@0.2.15removed (0.2.16 retained). All consistent with the testing-group bumps; no unrelated package movement, no resurrection ofgraphql@16.13.2orjsdom@29.0.2(proves clean merge with the freshly-landed #372 / #222). git diff origin/main..36dbff2 -- patches/— empty.patches/next-view-transitions.patchuntouched.patch_hashcheck —git show origin/main:pnpm-lock.yaml | grep patch_hashandgit show 36dbff2:pnpm-lock.yaml | grep patch_hashboth showpatch_hash=nxvyby6r4isjnouuw656h2bwdi(pnpm 9 base32 format). The CI hash-format regression that motivated the rebase is resolved.pnpm --versionlocally →9.15.9; Dockerfile pinscorepack prepare pnpm@9 --activate. Runtime and lockfile format agree.gh pr checks 384— all 12 required checks SUCCESS on36dbff2: ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL, CodeQL Analysis, E2E Shards 1/4–4/4. Mergify queue NEUTRAL (expected; not yet queued).gh api .../collaborators/julianken-bot/permission→write(APPROVE event valid).
Findings ToC
- SUGGESTION: pin
packageManager: "pnpm@9.15.9"inpackage.json— would prevent the pnpm 9 vs 10 lockfile-format drift that caused this whole rebase round. Follow-up, out of scope here.
What's specifically right
- The merge commit is a true rebase-via-merge: only conflict was
pnpm-lock.yaml, and the regenerated lockfile reconciles cleanly with both the upstream graphql/jsdom bumps and the local testing-group bump. No "let's also touch unrelated config while we're here" drift. - The patch_hash format (
nxvyby6r4isjnouuw656h2bwdi, base32) is byte-identical tomain. This is the load-bearing detail — it's why CI flipped from red on Dependabot's sha256-hex regenerate to green here. - Diff vs current main is exactly the two files the dispatch claimed. The merge commit's mechanical 4-file diff (which includes workflow files brought in from main) reconciles to a 2-file delta against main. Verified independently from the diff command, not trusted from narrative.
Bottom line
Same content as the prior APPROVE (d1ad157), now rebased atop a moved main with the lockfile re-reconciled. CI fully green on the post-rebase HEAD. Safe to queue.
— @julianken-bot (opus, fresh context)
Collaborator
|
@Mergifyio queue |
Contributor
Merge Queue Status
Required conditions to enter a queue
|
# Conflicts: # pnpm-lock.yaml
julianken-bot
approved these changes
May 18, 2026
Collaborator
julianken-bot
left a comment
julianken-bot
left a comment
There was a problem hiding this comment.
Verdict: APPROVE — second rebase reconciles cleanly; diff vs main is still just the testing-group bump and a regenerated lockfile, and all checks I ran locally pass.
What I verified (this turn)
git diff origin/main..pr-384 -- package.json→ only the three intended specifier bumps (@playwright/test1.59.1→1.60.0,@vitest/coverage-v8andvitest4.1.4→4.1.6); no other devDependency orpnpm.patchedDependencieslines touched.git diff origin/main..pr-384 --stat→ 2 files (package.json,pnpm-lock.yaml); 17 lockfile entries added, 17 removed (clean swap, no orphans). All added entries are within the testing-group transitive closure (@playwright/*,playwright-core,@vitest/*cluster,magicast@0.5.3,@babel/parser@7.29.3,es-module-lexer@2.1.0,semver@7.8.0,tinyexec@1.1.2) — verifiedmagicast@0.5.3pulls@babel/parser@7.29.3per its lockfile dependencies block.git log 5cf65e9e ^36dbff2092→ the new merge commit is solely theorigin/mainintegration (brings in#129payload +#131tailwind from the now-merged ahead-of-#384 work); authored byJulian <14049295+julianken@users.noreply.github.com>as expected.pnpm install --frozen-lockfile --prefer-offline(in a /tmp worktree at head5cf65e9e) → resolves cleanly with@playwright/test 1.60.0,@vitest/coverage-v8 4.1.6,vitest 4.1.6(Done in 6.7s); patch hashnxvyby6r4isjnouuw656h2bwdifornext-view-transitionsunchanged, so #383's pnpm patch is still applied.pnpm exec vitest run→Test Files 37 passed (37) / Tests 584 passed (584) / Duration 6.54son vitest 4.1.6.pnpm exec tsc --noEmit→ 0 errors.pnpm exec eslint .→ 0 errors, 18 pre-existing warnings unrelated to this PR.gh api repos/julianken/detached-node/collaborators/julianken-bot/permission→write(APPROVE event will land).
Findings (0 — see inline comments below for detail)
None. Mandatory second-pass read surfaced no real issues. The merge commit is a pure conflict-resolution-by-regeneration of the lockfile; the package.json delta vs main is exactly the three Dependabot-intended specifier bumps; the @babel/parser / magicast / es-module-lexer transitive shuffle is internally consistent with the vitest cluster moving 4.1.4→4.1.6; the pnpm.patchedDependencies config and patch hash are preserved.
Bottom line: ready to merge. Note that #369 (next-react group) and #314 (ai-sdk group) remain open — whichever of those merges next will displace this PR's lockfile state again, so prefer to queue this PR sooner rather than later.
Reviewer: @julianken-bot (opus) — fresh-context subagent dispatched via the reviewing-as-julianken-bot skill. Verdict above is binding regardless of GitHub's review label.
Collaborator
|
@Mergifyio queue |
Contributor
☑️ Command
|
Contributor
Merge Queue Status
This pull request spent 1 minute 27 seconds in the queue, including 9 seconds running CI. Required conditions to merge
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the testing group with 3 updates in the / directory: @playwright/test, @vitest/coverage-v8 and vitest.
Updates
@playwright/testfrom 1.59.1 to 1.60.0Release notes
Sourced from @playwright/test's releases.
... (truncated)
Commits
87bb9ddcherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix9a9c51ccherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...4b3b628cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...f869f96chore: bump version to v1.60.0 (#40714)7eb6918cherry-pick(#40710): docs: release notes v1.60118d2aacherry-pick(#40693): chore(python): formdata path type54012f5chore(deps): bump ip-address and express-rate-limit (#40680)9fa531dfix(screencast): unblock frame ack when an async client disconnects (#40674)3649db5chore(mcp): bump default extension protocol to v2 (#40678)bb6c009chore(extension): mark 0.2.1 (#40679)Updates
@vitest/coverage-v8from 4.1.4 to 4.1.6Release notes
Sourced from @vitest/coverage-v8's releases.
Commits
a8fd24cchore: release v4.1.6e399846chore: release v4.1.5Updates
vitestfrom 4.1.4 to 4.1.6Release notes
Sourced from vitest's releases.
Commits
a8fd24cchore: release v4.1.618af98cfix(browser): simplify orchestrator otel carrier (#10285)3188260feat(browser): provide project reference inToMatchScreenshotResolvePath(#...e399846chore: release v4.1.57dc6d54Revert "fix: respect diff config options in soft assertions (#8696)"9787dedfix: respect diff config options in soft assertions (#8696)325463afix(ast-collect): recognize _vi_import prefix in static test discovery (#10...0e0ff41feat(coverage): istanbul to supportinstrumenteroption (#10119)663b99ffix: aliasagentreporter tominimal(#10157)122c25bfix: fixvi.defineHelpercalled as object method (#10163)