Skip to content

build(deps): consolidate open Dependabot updates#683

Merged
0xisk merged 3 commits into
mainfrom
chore/consolidate-dependabot
Jul 16, 2026
Merged

build(deps): consolidate open Dependabot updates#683
0xisk merged 3 commits into
mainfrom
chore/consolidate-dependabot

Conversation

@0xisk

@0xisk 0xisk commented Jul 15, 2026

Copy link
Copy Markdown
Member

Types of changes

Maintenance: dependency updates. None of the categories below strictly apply — this is a grouped Dependabot bump.

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation Update (if none of the other choices apply)

Consolidates the 10 open Dependabot PRs into a single PR so they can be reviewed and merged together, then closes the individual ones. There is no grouping configured in dependabot.yml, and the github-actions ecosystem was sitting at its 5-open-PR cap, so this batches everything by hand.

GitHub Actions

Action From To
actions/checkout v6.0.3 v7.0.0 (major)
step-security/harden-runner v2.19.4 v2.20.0
github/codeql-action/{init,analyze,upload-sarif} v4.36.2 v4.36.3
iarekylew00t/verified-bot-commit v2.3.2 v2.3.3

Supersedes #622, #662, #663, #664, #649.

codeql-action/upload-sarif (in scorecard.yml) had no open Dependabot PR — it shares the same release SHA as init/analyze, and CodeQL requires all sub-actions on one version. Bumped it here so the three stay consistent (otherwise init/analyze at v4.36.3 + upload-sarif at v4.36.2 would break scanning).

npm (dev dependencies)

Package Range before Range after Lockfile resolves
vitest ^4.1.9 ^4.1.10 4.1.10
@vitest/coverage-v8 ^4.1.9 ^4.1.10 4.1.10
turbo ^2.9.18 ^2.10.0 2.10.5
@types/node 25.9.3 26.1.0 26.1.0 (major)
@biomejs/biome ^2.5.0 ^2.5.2 2.5.4

Supersedes #660, #659, #627, #651, #652.

turbo and biome resolve to the newest in-range patch (2.10.5, 2.5.4) rather than the exact versions the individual PRs pinned (2.10.0, 2.5.2) — that is what a fresh yarn install against these ranges produces. The lockfile was regenerated once for a single coherent result rather than cherry-picking conflicting per-PR lockfiles.

Biome reformat

Biome 2.5.4 changed how it.each(...) call chains wrap. biome format reformatted 10 existing test files. Formatting-only, no logic changes. This is a required consequence of the biome bump, isolated so it is easy to skim.

biome migrate also bumped biome.json's $schema URL (2.5.0 → 2.5.4) so editor validation tracks the installed version. No rule/config changes; clears the Run biome migrate notice from biome ci.

PR Checklist

  • I have read the Contributing Guide
  • I have added tests — N/A (no behavior change)
  • I have added documentation — N/A
  • CI Workflows Are Passing

Further comments

Verified locally before pushing:

  • yarn fmt-and-lint:ci (biome 2.5.4) — clean, exit 0.
  • yarn types (tsc under @types/node 26 + full compile of 66 contracts, turbo 2.10.5) — 8/8 tasks, exit 0.
  • Lockfile drift is limited to the bumped packages and their platform/sub-packages; no unrelated transitive churn.

0xisk added 2 commits July 15, 2026 15:39
Consolidated Dependabot bumps for the github-actions ecosystem:

* actions/checkout 6.0.3 -> 7.0.0
* step-security/harden-runner 2.19.4 -> 2.20.0
* github/codeql-action 4.36.2 -> 4.36.3 (init, analyze, upload-sarif)
* iarekylew00t/verified-bot-commit 2.3.2 -> 2.3.3

upload-sarif (scorecard.yml) had no open PR but shares the
codeql-action release SHA; bumped alongside init/analyze so all three
sub-actions stay on one version.

Supersedes #622, #649, #662, #663, #664.
Consolidated Dependabot bumps for the npm ecosystem, regenerated as a
single coherent lockfile rather than cherry-picking conflicting
per-PR lockfiles:

* vitest ^4.1.9 -> ^4.1.10
* @vitest/coverage-v8 ^4.1.9 -> ^4.1.10
* turbo ^2.9.18 -> ^2.10.0 (lockfile 2.10.5)
* @types/node 25.9.3 -> 26.1.0
* @biomejs/biome ^2.5.0 -> ^2.5.2 (lockfile 2.5.4)

turbo and biome resolve to the newest in-range patch, which is what a
fresh install produces. Biome 2.5.4 changed how it.each() call chains
wrap, so `biome format` reformatted 10 test files (formatting only,
no logic changes).

Supersedes #627, #651, #652, #659, #660.
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

Updated pinned GitHub Actions and development dependencies, and reformatted parameterized access, multisig, fungible-token, multi-token, and shielded-token tests without changing workflow logic or test behavior.

Changes

Maintenance updates

Layer / File(s) Summary
Workflow action pin updates
.github/workflows/*
Pinned hardening, checkout, CodeQL, SARIF, and verified-commit actions to newer revisions while preserving workflow structure and inputs.
Development tooling versions
package.json, contracts/package.json
Updated Biome, Node typings, Turbo, Vitest, and Vitest coverage development dependencies.
Access and multisig test formatting
contracts/src/access/test/*, contracts/src/multisig/test/Signer.test.ts
Reformatted parameterized tests while retaining existing calls, assertions, and expected errors.
Token test formatting
contracts/src/token/test/*
Reformatted parameterized transfer, mint, and initialization tests without changing scenarios or outcomes.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: andrew-fleming, pepebndc

Poem

I nibbled the workflow pins with care,
And tidied test loops everywhere.
Vitest hops to a newer spring,
While old assertions keep their ring.
No logic changed beneath the moon—
Just cleaner paths to hop through soon.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the PR as consolidating multiple Dependabot dependency updates into one maintenance change.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/consolidate-dependabot

Comment @coderabbitai help to get the list of available commands.

`biome migrate` after the @biomejs/biome bump updates only the $schema
URL (2.5.0 -> 2.5.4) so editor validation tracks the installed
version. No rule/config changes. Clears the "Run biome migrate" notice
from `biome ci`.
@0xisk
0xisk requested a review from andrew-fleming July 15, 2026 13:54
@0xisk 0xisk self-assigned this Jul 15, 2026
@0xisk
0xisk merged commit aeffce5 into main Jul 16, 2026
8 checks passed
@0xisk
0xisk deleted the chore/consolidate-dependabot branch July 16, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants