Skip to content

chore(deps): refresh supported JavaScript dependency updates#1395

Merged
justin808 merged 12 commits intomainfrom
jg-codex/js-refresh
Apr 2, 2026
Merged

chore(deps): refresh supported JavaScript dependency updates#1395
justin808 merged 12 commits intomainfrom
jg-codex/js-refresh

Conversation

@justin808
Copy link
Copy Markdown
Collaborator

@justin808 justin808 commented Apr 2, 2026

Summary

  • Consolidate the supported pending JS Dependabot updates into one refresh branch
  • Regenerate the checked-in React and UJS build artifacts so check_react_and_ujs stays green
  • Carry the dummy app and react-builds lockfiles forward to the latest compatible webpack 5 patch release

Supersedes

Validation

  • mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake test
  • env PACKAGE_JSON_FALLBACK_MANAGER=yarn_classic mise x ruby@2.7.8 node@20.19.0 -- bundle _2.4.9_ exec rake test

justin808 and others added 12 commits April 1, 2026 15:33
@justin808
chore(deps): refresh supported webpack locks
abdcbdc
@dependabot @justin808
chore(deps): bump pbkdf2 from 3.1.2 to 3.1.5 in /react-builds
72de27e 
Bumps [pbkdf2](https://github.com/browserify/pbkdf2) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md)
- [Commits](browserify/pbkdf2@v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: pbkdf2
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump qs from 6.11.2 to 6.14.2 in /react-builds
c0c38d5 
Bumps [qs](https://github.com/ljharb/qs) from 6.11.2 to 6.14.2.
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.2...v6.14.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump svgo from 3.0.2 to 3.3.3
311122c 
Bumps [svgo](https://github.com/svg/svgo) from 3.0.2 to 3.3.3.
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v3.0.2...v3.3.3)

---
updated-dependencies:
- dependency-name: svgo
  dependency-version: 3.3.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump postcss from 8.4.25 to 8.5.6
d69a9cd 
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.25 to 8.5.6.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.25...8.5.6)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump nanoid from 3.3.6 to 3.3.11
07f81e2 
Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.6 to 3.3.11.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.3.6...3.3.11)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-version: 3.3.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump serialize-javascript from 6.0.1 to 6.0.2
d4f6e14 
Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.1...v6.0.2)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 6.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 in /test/dummy
812a616 
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump minimatch from 3.0.8 to 3.1.5 in /test/dummy
ec8f428 
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.8 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.0.8...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump node-forge from 1.3.1 to 1.3.3 in /test/dummy
61278dd 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.3.
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.3.3)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-version: 1.3.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @justin808
chore(deps): bump js-yaml from 4.1.0 to 4.1.1 in /test/dummy
e49195e 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@justin808
chore(deps): regenerate supported dependency updates
16b5975
@justin808 justin808 merged commit 1542f42 into main Apr 2, 2026
3 checks passed
@justin808 justin808 deleted the jg-codex/js-refresh branch April 2, 2026 01:43
This was referenced Apr 2, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@claude
Copy link
Copy Markdown

claude bot commented Apr 2, 2026

Code Review: chore(deps): refresh supported JavaScript dependency updates

Summary

This PR consolidates ~13 pending Dependabot JS updates into a single branch and regenerates the checked-in build artifacts. The approach is sound, but there is a blocking CI failure that needs to be addressed before merging.

Blocking Issue: check_react_and_ujs CI failure

The check_react_and_ujs (2.7) check is failing, and because test and test_connection_pool_v3 both depend on it, all downstream tests were skipped.

The job runs:

  1. bundle exec rake react:update
  2. bundle exec rake ujs:update
  3. ./check_for_uncommitted_files.sh

The failure means the checked-in artifacts (lib/assets/react-source/, lib/assets/javascripts/react_ujs.js, react_ujs/dist/react_ujs.js) do not match what those rake tasks produce in CI. The PR description lists regenerating these artifacts as a goal, so this must be resolved before landing.

Likely cause: artifacts were built locally with a slightly different Node.js version, yarn cache state, or webpack configuration than the CI runner. Re-running the rake tasks in a clean environment (Node 20.19.0 as documented) and re-committing the outputs should fix this.

Code Quality and Best Practices

  • Consolidation approach is correct — batching Dependabot updates into one refresh branch avoids a cascade of artifact-regeneration PRs.
  • Lockfile hygiene looks fine. All three lockfiles (yarn.lock, react-builds/yarn.lock, test/dummy/yarn.lock) are updated together as expected.
  • react_ujs/dist/react_ujs.js and lib/assets/javascripts/react_ujs.js are identical after this PR, consistent with the ujs:copy rake task.

Potential Bugs / Issues

  • webpack module IDs changed in the UJS bundle (e.g. __WEBPACK_EXTERNAL_MODULE__787__ to __WEBPACK_EXTERNAL_MODULE__442__). This is expected when webpack 5 reassigns chunk IDs after a dependency graph change, but worth confirming no source logic changed unintentionally.
  • Minified production React files (lib/assets/react-source/production/react.js, react-server.js) show +1/-1 each — impossible to review manually. The CI artifact-equivalence check is the only real validation, and it is currently red.

Security

The eval() calls in lib/assets/react-source/development/react-server.js are webpack's devtool: 'eval' source-map strategy. They pre-date this PR, are scoped to the development bundle only, and are not shipped in the production asset. No new security surface is introduced.

Updated packages are transitive build/tooling dependencies (webpack 5.105.4, terser-webpack-plugin, etc.) — not runtime dependencies exposed to end users via the gem.

Test Coverage

No new tests are needed for pure lockfile/artifact updates. The existing check_react_and_ujs + full test matrix is the correct validation. Once CI is green, this will be adequately validated.

Action Required

  1. Fix the check_react_and_ujs failure by regenerating artifacts in a clean environment matching CI (Node 20.19.0), then re-push.
  2. Confirm test and test_connection_pool_v3 pass after the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justin808