Skip to content

mono - chore: upgrade TypeScript build tooling#207

Merged
jaredwray merged 1 commit into
mainfrom
claude/qified-dependency-management-rh5000
Jul 16, 2026
Merged

mono - chore: upgrade TypeScript build tooling#207
jaredwray merged 1 commit into
mainfrom
claude/qified-dependency-management-rh5000

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Please check if the PR fulfills these requirements

  • Followed the Contributing and Code of Conduct guidelines.
  • Tests for the changes have been added (for bug fixes/features) with 100% code coverage.

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Chore — dependency upgrade of the non-breaking TypeScript build/execution tooling. No runtime or source changes.

Versions

  • tsx ^4.22.4^4.23.0
  • tsdown ^0.22.2^0.22.4

Versions are the exact "Latest" from pnpm outdated (gated by the workspace minimumReleaseAge); no majors.

Two members of the TypeScript/build group are intentionally excluded from this PR:

  • typescript 6 → 7 — a breaking major; it gets its own (breaking) PR after breaking-change review.
  • @types/node 25 → 26.nvmrc pins Node 24 while @types/node already sits at 25 and CI tests Node 22/24/26; this version-source mismatch needs a decision rather than a guess.

Tests

  • pnpm build passes (tsdown is the bundler for every package)
  • pnpm test passes — qified 132, nats 80, rabbitmq 114, redis 88, valkey 88, zeromq 8; 100% coverage maintained

🤖 Generated with Claude Code


Generated by Claude Code

Upgrade the non-breaking TypeScript execution and bundling tooling to the
latest gated releases:
- tsx ^4.22.4 → ^4.23.0
- tsdown ^0.22.2 → ^0.22.4

The typescript 6 → 7 major and the @types/node version-source question are
handled separately (each needs its own PR / decision).

pnpm build and pnpm test pass across all packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014cLAa8HaTokNu5wBM7cM6x
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedtsx@​4.23.01001008294100
Addedtsdown@​0.22.4981008897100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/tsdown@0.22.4npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependencies in package.json and pnpm-lock.yaml, bumping tsdown to version 0.22.4 and tsx to 4.23.0. In the lockfile, rolldown is updated to 1.1.5 and rolldown-plugin-dts is updated to 0.27.4. This update transitions the AST toolchain by replacing Babel-related packages with yuku-ast, yuku-codegen, and yuku-parser. I have no feedback to provide as there are no review comments and the dependency updates are standard.

@jaredwray
jaredwray merged commit f56f32a into main Jul 16, 2026
9 checks passed
@jaredwray
jaredwray deleted the claude/qified-dependency-management-rh5000 branch July 16, 2026 14:12
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (5366cc5) to head (89e0fec).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #207   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           12        12           
  Lines         1659      1659           
  Branches       288       288           
=========================================
  Hits          1659      1659           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 89e0fec872

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json
"rimraf": "^6.1.3",
"tsdown": "^0.22.2",
"tsx": "^4.22.4",
"tsdown": "^0.22.4",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Raise the Node 24 floor for tsdown

With this upgrade, the lockfile resolves tsdown@0.22.4, whose package metadata now declares engines: {node: ^22.18.0 || >=24.11.0} in pnpm-lock.yaml, but the root package still advertises support for every Node >=24.0.0. Contributors or CI jobs running Node 24.0 through 24.10 can still satisfy the repo engine range but hit unsupported-engine failures in engine-strict installs or when invoking the build tool, so the repo engine should be tightened or the tsdown upgrade held back.

Useful? React with 👍 / 👎.

Comment thread pnpm-lock.yaml
tsdown@0.22.2:
resolution: {integrity: sha512-VX9gsyKXsTnBZjnIM4jsHl9aRv+GfgkE/k1hQslilaBfZMlaw3JuGR+6yhiU0QxWBtOCDnTjwOSoXzgB7Rr50g==}
engines: {node: ^22.18.0 || >=24.0.0}
tsdown@0.22.4:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Hold tsdown until the release-age window expires

The workspace policy sets minimumReleaseAge: 10080 and minimumReleaseAgeStrict: true in pnpm-workspace.yaml:10-11, but this lockfile pins tsdown@0.22.4 while the npm package metadata currently reports that release as only a few hours old. That contradicts the repo's 7-day supply-chain gate and can force the next policy-enforced re-resolution to roll this upgrade back or require an explicit exception, so this version should wait until it ages in or be excluded deliberately.

Useful? React with 👍 / 👎.

@jaredwray jaredwray mentioned this pull request Jul 16, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants