Skip to content

build(deps-dev): bump @types/node from 25.9.3 to 26.0.0#144

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.0
Open

build(deps-dev): bump @types/node from 25.9.3 to 26.0.0#144
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/types/node-26.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps @types/node from 25.9.3 to 26.0.0.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps-dev): bump @types/node from 25.9.3 to 26.0.0
1473539 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.9.3 to 26.0.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 16:08
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@clawsweeper

clawsweeper Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed June 22, 2026, 12:28 PM ET / 16:28 UTC.

Summary
Dependabot updates the direct development dependency @types/node from 25.9.3 to 26.0.0 and refreshes the pnpm lockfile.

Reproducibility: not applicable. this is dependency maintenance rather than a reported runtime bug. The relevant verification is package/lockfile inspection plus the PR validation checks.

Review metrics: 2 noteworthy metrics.

  • Changed package surface: 2 files modified, 46 changed lines. The PR only touches package metadata and the pnpm lockfile, both package integrity surfaces.
  • Status checks: 7 successful, 0 failing. CI, CodeQL, Dependency Review, and verified secret scanning were green on the PR head.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Have the package-integrity owner confirm the Node typings support policy before merge.

Risk before merge

  • [P1] This is a semver-major Node typings update while the published engine range still allows Node 22, so package-integrity owners should confirm that tracking Node 26 types is intentional for the support matrix.

Maintainer options:

  1. Accept Node 26 Typings
    Merge after package-integrity owners confirm that using Node 26 typings is acceptable while the runtime engine remains >=22.
  2. Keep Typings On The Minimum Runtime
    Close or retarget the Dependabot update if the project wants TypeScript to enforce the Node 22 public support floor.

Next step before merge

  • [P2] This needs package-integrity maintainer judgment on the semver-major typings/support-matrix question, not an automated code repair.

Security
Cleared: No concrete security or supply-chain concern was found in the package/lockfile-only diff; Dependency Review and verified secret scanning passed on the PR head.

Review details

Best possible solution:

Keep the generated bump narrow and either merge it after package-integrity approval, or configure Dependabot to ignore/retarget the major if Node typings should stay aligned with the minimum supported runtime.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is dependency maintenance rather than a reported runtime bug. The relevant verification is package/lockfile inspection plus the PR validation checks.

Is this the best way to solve the issue?

Yes, if maintainers intentionally track Node 26 typings; the generated package and lockfile update is the narrowest implementation. If typings should enforce the Node 22 support floor, the better solution is to close or retarget this major update.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 24763d26cdff.

Label changes

Label changes:

  • add P3: This is a low-risk dependency maintenance PR with green automation and no user-facing behavior change.
  • add merge-risk: 🚨 compatibility: The PR moves Node typings to major 26 while the package still advertises support for Node 22 and newer.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate does not apply to this Dependabot bot dependency PR, and the changed behavior is covered by repository automation rather than real-user runtime proof.

Label justifications:

  • P3: This is a low-risk dependency maintenance PR with green automation and no user-facing behavior change.
  • merge-risk: 🚨 compatibility: The PR moves Node typings to major 26 while the package still advertises support for Node 22 and newer.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The contributor proof gate does not apply to this Dependabot bot dependency PR, and the changed behavior is covered by repository automation rather than real-user runtime proof.
Evidence reviewed

What I checked:

  • Current main dependency state: Current main still declares @types/node as ^25.9.3, so the proposed dependency update is not already implemented on the default branch. (package.json:37, 24763d26cdff)
  • PR head dependency change: The PR head changes the direct dev dependency to @types/node ^26.0.0 while leaving the package engine as node >=22. (package.json:37, 1473539f4dfc)
  • Lockfile update is scoped to the dependency graph: The PR lockfile importer resolves @types/node to 26.0.0 and updates the associated Vitest/Vite peer resolution entries; the diff is limited to package.json and pnpm-lock.yaml. (pnpm-lock.yaml:16, 1473539f4dfc)
  • Automated validation state: GitHub reports the PR as mergeable, with successful check runs for CI test, CodeQL TypeScript/actions analysis, Dependency Review, and verified secret scanning. (1473539f4dfc)
  • Repository validation surface: The CI workflow runs install, typecheck, lint, format check, tests, build, and package smoke under Node 26 for pull requests. (.github/workflows/ci.yml:20, 24763d26cdff)
  • Package integrity ownership: CODEOWNERS marks package.json and pnpm-lock.yaml as package integrity surfaces owned by @openclaw/openclaw-secops. (.github/CODEOWNERS:17, 24763d26cdff)

Likely related people:

  • Peter Steinberger: Blame and git log -G tie the current dependency block, initial package scaffold, and an earlier @types/node bump to this author. (role: dependency introducer and prior dependency updater; confidence: high; commits: 0cd24d07a262, 34f75dad9812, 88ba04e8006b; files: package.json, pnpm-lock.yaml)
  • Vincent Koc: Recent history shows this author added release/security automation, Dependabot configuration, CODEOWNERS, and package integrity ownership around the same package files. (role: package automation and ownership contributor; confidence: medium; commits: 637d2bd1cf81, 24763d26cdff; files: package.json, pnpm-lock.yaml, .github/dependabot.yml)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants