fix(deps): update device_page and test JS lockfiles to resolve Dependabot alerts#10877
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates JavaScript dependencies/lockfiles for the device_page embedded web UI and the tests/web-e2e Playwright suite, primarily to address Dependabot security alerts.
Changes:
- Bumps
tests/web-e2elint/tooling dependencies (notably@typescript-eslint/*) and refreshes thepnpm-lock.yaml. - Upgrades
device_pageruntime/tooling dependencies (React/TanStack/Tailwind/Vite/ESLint/TypeScript) and adds a TypeScript compiler option tweak. - Updates a nested
brace-expansionentry indevice_page/package-lock.json.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/web-e2e/pnpm-lock.yaml | Updates lockfile entries for lint/tooling packages (e.g., @typescript-eslint/*, semver, brace-expansion). |
| tests/web-e2e/package.json | Bumps @typescript-eslint/* devDependencies and reformats pnpm.onlyBuiltDependencies. |
| src/slic3r/GUI/DeviceWeb/device_page/tsconfig.app.json | Adds ignoreDeprecations to compiler options. |
| src/slic3r/GUI/DeviceWeb/device_page/package.json | Major dependency/tooling upgrades (notably Vite 8 / ESLint 10 / TypeScript 6). |
| src/slic3r/GUI/DeviceWeb/device_page/package-lock.json | Updates brace-expansion from 5.0.5 to 5.0.6 in a nested dependency. |
Files not reviewed (2)
- src/slic3r/GUI/DeviceWeb/device_page/package-lock.json: Language not supported
- tests/web-e2e/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@radix-ui/react-dialog": "^1.1.14", | ||
| "@radix-ui/react-dialog": "^1.1.15", | ||
| "@radix-ui/react-icons": "^1.3.2", | ||
| "@radix-ui/react-popover": "^1.1.14", | ||
| "@radix-ui/react-toggle-group": "^1.1.10", | ||
| "@tailwindcss/vite": "^4.1.8", | ||
| "@tanstack/react-router": "^1.120.15", | ||
| "i18next": "^25.3.2", | ||
| "immer": "^10.1.1", | ||
| "radix-ui": "^1.4.2", | ||
| "react": "^19.1.0", | ||
| "react-dom": "^19.1.0", | ||
| "react-i18next": "^15.6.1", | ||
| "tailwindcss": "^4.1.8", | ||
| "zustand": "^5.0.6" | ||
| "@radix-ui/react-popover": "^1.1.15", | ||
| "@radix-ui/react-toggle-group": "^1.1.11", | ||
| "@tailwindcss/vite": "^4.3.0", |
| "typescript": "~6.0.3", | ||
| "typescript-eslint": "^8.59.4", | ||
| "vite": "^8.0.14" |
| "noFallthroughCasesInSwitch": true, | ||
| "noUncheckedSideEffectImports": true, | ||
|
|
||
| "ignoreDeprecations": "6.0", |
|
Thanks for the contribution! Just a quick reminder that upgrading libraries can introduce compatibility risks or unexpected side effects, so we need to evaluate the impact carefully before merging. |
Address Copilot/reviewer feedback on bambulab#10877: - Add engines.node: "^20.19.0 || >=22.12.0" to device_page/package.json (Vite 8 requires Node 20.19+ or 22.12+; declaring it prevents silent failures on older Node runtimes in CI or developer environments) - Narrow ignoreDeprecations from "6.0" to "5.0" in tsconfig.app.json so TS 6.x deprecations still surface; add comment explaining scope
|
Thanks for the thorough review, @XinZhangBambu and @Copilot! All three points are addressed in the latest commit: [Medium] PR description updated [High] [Low] |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Files not reviewed (2)
- src/slic3r/GUI/DeviceWeb/device_page/package-lock.json: Language not supported
- tests/web-e2e/pnpm-lock.yaml: Language not supported
|
Apologies — this PR was closed by mistake on 2026-06-07, and that was an error on my side, not a deliberate decision to withdraw the change. It happened as an unintended side effect of a branch cleanup in my fork: deleting the head branch automatically closed this PR. The contribution still stands. I have restored the branch and reopened the PR. Sorry for the noise and any confusion this caused. |
|
Hi @XinZhangBambu — gentle nudge on this one, and you're right to be cautious. Alongside the security-driven bumps, this PR also pulls in some major tooling upgrades (Vite 8, TypeScript 6, ESLint 10) plus several runtime dependency bumps — that's where most of the compatibility risk sits, not the security fixes themselves. To make it easier to evaluate, I'm happy to split it: reduce this PR to only the minimal bumps needed to clear the outstanding Dependabot alerts (low risk), and move the major Vite/TS/ESLint tooling upgrades into a separate PR you can evaluate on its own timeline. That keeps the security fix small and reviewable while the riskier upgrades get their own assessment. Would that approach help unblock it, or would you prefer to keep everything in one PR? Happy to do whichever you'd like. |
Resolves the outstanding Dependabot alerts in device_page by pinning the affected transitive dependencies to their first patched versions via pnpm overrides — without the major tooling upgrades: - undici 7.25.0 -> 7.28.0 (1 high, 1 medium advisory) - js-yaml 4.1.0 -> 4.2.0 (medium) - @babel/core 7.27.4 -> 7.29.6 (low) All bumps stay within the current major versions, so there are no API or toolchain changes — just the security patches.
6ec536a to
a5cd327
Compare
|
Done — split as discussed, @XinZhangBambu. This PR is now security-only: it pins just the three Dependabot-flagged transitive deps to their first patched versions via pnpm
The larger toolchain/runtime upgrades (Vite 8, TypeScript 6, ESLint 10, React/Radix/Tailwind, etc.) have been moved to #11242 for separate evaluation, so this one should be safe to land on its own. |
|
Thanks @walterwongbbl, much appreciated — glad the security-only split made the assessment easy. Ready to merge whenever it suits you. |
|
thanks~ @BenJule |
Summary
Updates JavaScript dependencies for `device_page` and `tests/web-e2e` to resolve outstanding Dependabot security alerts — this includes both lockfile regeneration and direct version bumps in `package.json`.
device_page (`src/slic3r/GUI/DeviceWeb/device_page/`)
tests/web-e2e (`tests/web-e2e/`)
No changes to C++ source code, build system, or application behaviour.
Compatibility note
Vite 8 requires Node `^20.19.0 || >=22.12.0`. The `engines.node` field now declares this explicitly. CI runners using Node 18 or older 20.x will need to be updated if they build the `device_page` web asset.