Bump serialize-javascript, copy-webpack-plugin and css-minimizer-webpack-plugin#1118
Conversation
dependabot
bot
added
dependencies
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s webpack build toolchain dependencies to address upstream dependency/security updates by bumping copy-webpack-plugin and css-minimizer-webpack-plugin (and thereby pulling in serialize-javascript@7 transitively).
Changes:
- Bump
copy-webpack-pluginfrom^13.0.1to^14.0.0. - Bump
css-minimizer-webpack-pluginfrom^7.xto^8.0.0. - Update
package-lock.jsonto reflect new transitive dependencies (includingserialize-javascript@7.0.4) and updated engine requirements.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates webpack-related dependency versions to the new major releases. |
| package-lock.json | Locks updated dependency tree, including new Node engine constraints and transitive updates (e.g., serialize-javascript@7). |
| "copy-webpack-plugin": "^14.0.0", | ||
| "css-loader": "^7.1.2", | ||
| "css-minimizer-webpack-plugin": "^7.0.2", | ||
| "css-minimizer-webpack-plugin": "^8.0.0", |
There was a problem hiding this comment.
suggestion (blocking): copy-webpack-plugin@14 and css-minimizer-webpack-plugin@8 now declare engines.node >= 20.9.0 (and serialize-javascript@7 requires Node >=20). Since this repo’s root package.json doesn’t declare an engines range, local npm install (e.g. make preflight) can fail in hard-to-diagnose ways on older Node 20.x/18.x. Consider adding an explicit engines.node (at least >=20.9.0) to make the Node requirement clear and consistently enforced.
There was a problem hiding this comment.
It would "fail" equally invisibly, with just a npm warn EBADENGINE Unsupported engine somewhere in the middle of the waterfall of logs — no matter if springfield package states the constraint, or serialize-javascript reports its own.
I don't really understand Copilot's take on this — springfield should not and can't be tracking its deps' engines — these are already in the lockfile for each dep if defined correctly — the project package only defines its own compatibility constraints. Any package's engines is as good as the next one, incl. the local package i.e. springfield; the failure would look the same, and notably the field unfortunately can't really enforce anything, as it has no power to manage the runtime environment. Not sure if you can make Copilot elaborate further, but this sounds like something that's nonexistent in its npm world view, or it assumes configs/arguments/tools (like yarn) not used here. Adding details to #1180 (comment) …
|
confirmed with updated npm versions the reinstatement of |
|
decision on whether to add engines field will be made here: #1180 |
This comment was marked as resolved.
This comment was marked as resolved.
|
@dependabot rebase |
…ack-plugin Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependencies [serialize-javascript](https://github.com/yahoo/serialize-javascript), [copy-webpack-plugin](https://github.com/webpack/copy-webpack-plugin) and [css-minimizer-webpack-plugin](https://github.com/webpack/css-minimizer-webpack-plugin). These dependencies need to be updated together. Updates `serialize-javascript` from 6.0.2 to 7.0.4 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.4) Updates `copy-webpack-plugin` from 13.0.1 to 14.0.0 - [Release notes](https://github.com/webpack/copy-webpack-plugin/releases) - [Changelog](https://github.com/webpack/copy-webpack-plugin/blob/main/CHANGELOG.md) - [Commits](webpack/copy-webpack-plugin@v13.0.1...v14.0.0) Updates `css-minimizer-webpack-plugin` from 7.0.4 to 8.0.0 - [Release notes](https://github.com/webpack/css-minimizer-webpack-plugin/releases) - [Changelog](https://github.com/webpack/css-minimizer-webpack-plugin/blob/main/CHANGELOG.md) - [Commits](webpack/css-minimizer-webpack-plugin@v7.0.4...v8.0.0) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.4 dependency-type: indirect - dependency-name: copy-webpack-plugin dependency-version: 14.0.0 dependency-type: direct:production - dependency-name: css-minimizer-webpack-plugin dependency-version: 8.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/multi-0825cb3cc0
branch
from
5b95e66 to
e7becb7
Compare
maureenlholland
left a comment
maureenlholland
left a comment
There was a problem hiding this comment.
successful integration test run: https://github.com/mozmeao/springfield/actions/runs/23486475501
Bumps serialize-javascript to 7.0.4 and updates ancestor dependencies serialize-javascript, copy-webpack-plugin and css-minimizer-webpack-plugin. These dependencies need to be updated together.
Updates
serialize-javascriptfrom 6.0.2 to 7.0.4Release notes
Sourced from serialize-javascript's releases.
... (truncated)
Commits
eec32e0release: v7.0.4d5057157.0.32e609d0fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207)42b7cdbbuild(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206)44f544brelease: v7.0.2 (#205)bba0dddci: setup trusted publishing workflow (#204)235f6eaci: bump GitHub Actions to latest versions (#203)f7fff15release: v7.0.1 (#202)b4abd4cdocs: tweak README (#201)738a8e9security: sanitize function bodies (#199)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serialize-javascript since your current version.
Updates
copy-webpack-pluginfrom 13.0.1 to 14.0.0Release notes
Sourced from copy-webpack-plugin's releases.
Changelog
Sourced from copy-webpack-plugin's changelog.
Commits
18eb9d9chore(release): 14.0.02881203refactor!: minimum supportedNode.jsversion is20.9.0(#819)9dc3d31chore(deps-dev): bump ajv from 6.12.6 to 6.14.0 (#815)5cf5a1dchore(deps): update (#814)3dd5b6echore(deps): bump js-yaml (#813)9ac38bbchore(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#812)6a16bacUpdate link to contributing guidelines in READMEa1625f9chore: migrate from contrib (#810)9f6f204chore: update github actions/checkout from v4 to v5 (#809)Updates
css-minimizer-webpack-pluginfrom 7.0.4 to 8.0.0Release notes
Sourced from css-minimizer-webpack-plugin's releases.
Changelog
Sourced from css-minimizer-webpack-plugin's changelog.
Commits
c3b98acchore(release): 8.0.08791cc2refactor!: minimum supportedNode.jsversion is20.9.0(#303)c0fad56chore(deps-dev): bump webpack from 5.101.0 to 5.105.0 (#299)ad46311chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#298)6159f3adocs: fix link (#297)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.