Skip to content

chore(deps): align Pack dev dependency updates#72

Merged
lamemustafa merged 1 commit into
masterfrom
tapish-codex/pack-dependency-hygiene
Jul 7, 2026
Merged

chore(deps): align Pack dev dependency updates#72
lamemustafa merged 1 commit into
masterfrom
tapish-codex/pack-dependency-hygiene

Conversation

@lamemustafa

@lamemustafa lamemustafa commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Batch the safe Pack dev-dependency updates that were open as separate Dependabot PRs:

  • @types/chrome 0.0.320 -> 0.2.2
  • @typescript-eslint/eslint-plugin, @typescript-eslint/parser, and typescript-eslint -> 8.63.0
  • prettier -> 3.9.4

This intentionally does not update @types/node; Pack remains on Node 22.

Root Cause / Decision Record

Scope

  • Runtime: no runtime code-path changes, no permission changes, no manifest changes.
  • Tests: dependency audit, format, lint, typecheck, Vitest, WXT build, package verifier, ZIP verifier.
  • Docs/governance: PR body records superseded Dependabot PRs and the Node 22 decision.
  • Explicitly out of scope: Node 26 runtime/type baseline, Chrome Web Store publish, release asset publication, Sanchika consumption.

Pack Workflow Preflight

  • pnpm workflow:preflight was run before editing/push, or the skip reason is documented.
  • This PR was opened from a Pack branch, not master.
  • I checked latest master Pack AGENTS guidance or recorded the stale-guidance warning.
  • PR body keeps the required Pack privacy/review/verification checklist visible.

Sanchika Adoption Gate

  • If this PR consumes @sanchika/* packages or copied Sanchika guidance, I read sanchika/docs/adoption-pack.md in the coordinated parent worktree.
  • If this PR consumes Sanchika, it links ComplyEaze and Axal completion evidence and records the Sanchika commit or copied guidance used.
  • This PR does not import ../sanchika, sanchika/packages/*/src, or parent source paths.

Not applicable: this PR does not consume Sanchika.

Privacy And Data-Flow Impact

  • No new browser permissions.
  • No new host permissions.
  • No new network calls.
  • No analytics, telemetry, ads, or session replay.
  • No credential, OTP, CAPTCHA, cookie, token, GST file, or taxpayer-data capture.
  • Public copy and privacy declarations are updated if behaviour changed.

No public behavior changed.

Sensitive Surface Review

  • Current tab / portal target binding is preserved or intentionally changed.
  • Download completion remains evidence-backed and fail-closed.
  • Ambiguous side-effect delivery cannot be reported as confirmed success.
  • Service-worker durability impact is understood and documented.
  • Real taxpayer data, local paths, raw URLs/referrers, and portal HTML are absent from the diff.

Only dev dependencies, lockfile entries, and formatter output changed.

Chrome Web Store Impact

  • This PR does not expand beyond the existing Chrome Web Store V0 listing unless every gate in docs/PUBLICATION_READINESS.md is checked.
  • Full fiscal year remains source-build alpha and is not part of the Chrome Web Store V0 listing.
  • Store copy, README status, Privacy QA, and reviewer instructions were reviewed if user-facing behavior changed.
  • CI ZIP creation, provenance, and protected publishing are treated as release evidence, not manual store-submission sign-off.
  • PR title uses Conventional Commits so Release Please can bump Pack after merge.

No Chrome Web Store behavior changed.

Verification

  • pnpm install --frozen-lockfile
  • pnpm audit --audit-level high
  • pnpm exec wxt prepare
  • pnpm exec prettier --check .
  • pnpm exec eslint . --max-warnings 0
  • pnpm exec tsc --noEmit
  • pnpm exec vitest run
  • pnpm exec wxt build
  • node scripts/verify-extension-package.mjs .output/chrome-mv3
  • pnpm exec wxt zip
  • node scripts/verify-extension-zip.mjs
  • node scripts/write-release-provenance.mjs
  • node scripts/verify-github-release-assets.mjs --tag <tag> --zip <zip> --checksum <sha256> --provenance <json> when release assets exist
  • node scripts/publish-chrome-web-store.mjs --zip .output/<zip> --provenance .output/pack-release-provenance.v1.json --publisher-id <id> --dry-run true
  • git diff --check
  • pnpm review:gate -- --strict-head-review --required-review-author chatgpt-codex-connector --wait-head-review-ms 180000 --allow-missing-head-review before merge/readiness claim, with missing Codex review recorded as an audit gap if reported:

Install was done through pnpm update -D ..., which refreshed pnpm-lock.yaml. Release-provenance and Chrome Web Store dry-run checks are not applicable because this PR does not publish a release.
Review gate result: review-gate:allowed-missing-head-review; no current-head Codex review was found for c087f05, and the gate passed because missing-head review is explicitly allowed for this lane.

Artifact Evidence

PR Review Follow-Up

  • GitHub Actions completed.
  • Autogenerated Codex/bot review comments inspected after checks completed for the latest head SHA.
  • Inline review threads are resolved, outdated, or answered with evidence.
  • No commits were pushed after the last required human/bot review without re-review.
  • Any follow-up PRs are listed here instead of being left implicit.
Thread/comment Disposition Commit or evidence
Dependabot PR #67 superseded by aligned ESLint plugin/parser/typescript-eslint batch c087f05
Dependabot PR #68 superseded by this batch c087f05
Dependabot PR #69 superseded by aligned ESLint plugin/parser/typescript-eslint batch c087f05
Dependabot PR #70 intentionally not included because Pack remains on Node 22 .nvmrc, package.json, CI Node setup
Dependabot PR #71 superseded by this batch with Prettier 3.9 formatter output committed c087f05

Screenshots

Use synthetic data only.

Not applicable: no UI behavior changed.

DCO

  • Commits include Signed-off-by: trailers.

Signed-off-by: Tapish Khandelwal <tapishkhandelwal13@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant