Patch 3.2.3 #209
Patch 3.2.3 #209
Conversation
Bumps the react group with 3 updates in the / directory: [react](https://github.com/facebook/react/tree/HEAD/packages/react), [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom). Updates `react` from 19.2.0 to 19.2.1 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.1/packages/react) Updates `@types/react` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.0 to 19.2.1 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.1/packages/react-dom) Updates `@types/react` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: react - dependency-name: "@types/react" dependency-version: 19.2.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: react - dependency-name: react-dom dependency-version: 19.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: react - dependency-name: "@types/react" dependency-version: 19.2.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: react ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the deps group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@fluentui/react-components](https://github.com/microsoft/fluentui) | `9.72.7` | `9.72.8` | | [@fluentui/react-icons](https://github.com/microsoft/fluentui-system-icons) | `2.0.314` | `2.0.316` | | [@stylistic/eslint-plugin](https://github.com/eslint-stylistic/eslint-stylistic/tree/HEAD/packages/eslint-plugin) | `5.5.0` | `5.6.1` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.46.4` | `8.49.0` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.2.2` | `7.2.7` | Updates `@fluentui/react-components` from 9.72.7 to 9.72.8 - [Release notes](https://github.com/microsoft/fluentui/releases) - [Commits](https://github.com/microsoft/fluentui/compare/@fluentui/react-components_v9.72.7...@fluentui/react-components_v9.72.8) Updates `@fluentui/react-icons` from 2.0.314 to 2.0.316 - [Commits](https://github.com/microsoft/fluentui-system-icons/commits) Updates `@stylistic/eslint-plugin` from 5.5.0 to 5.6.1 - [Release notes](https://github.com/eslint-stylistic/eslint-stylistic/releases) - [Changelog](https://github.com/eslint-stylistic/eslint-stylistic/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint-stylistic/eslint-stylistic/commits/v5.6.1/packages/eslint-plugin) Updates `typescript-eslint` from 8.46.4 to 8.49.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.49.0/packages/typescript-eslint) Updates `vite` from 7.2.2 to 7.2.7 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.2.7/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.2.7/packages/vite) --- updated-dependencies: - dependency-name: "@fluentui/react-components" dependency-version: 9.72.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: deps - dependency-name: "@fluentui/react-icons" dependency-version: 2.0.316 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: deps - dependency-name: "@stylistic/eslint-plugin" dependency-version: 5.6.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: deps - dependency-name: typescript-eslint dependency-version: 8.49.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: deps - dependency-name: vite dependency-version: 7.2.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: deps ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
XFox111
added
security fix
There was a problem hiding this comment.
Pull request overview
This pull request implements a package manager migration from Yarn to NPM as part of the "Patch Tuesday" initiative, along with dependency updates and security patches for CVE-2025-12816, CVE-2025-64756, and CVE-2025-66030.
Key changes:
- Migrated package manager from Yarn to NPM, updating all scripts and workflow commands
- Updated multiple dependencies including React (19.2.0 → 19.2.1), FluentUI components, and TypeScript tooling
- Removed Yarn-specific configuration files and updated ESLint to ignore package-lock.json
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Version bumped to 3.2.3, converted scripts from Yarn to NPM, updated dependencies (React, FluentUI, TypeScript), removed packageManager field and several devDependencies (globals, scheduler, vite) |
| eslint.config.js | Added package-lock.json to ignore patterns for JSON linting rules |
| .yarnrc.yml | Deleted Yarn configuration file containing package extensions and node linker settings |
| .github/workflows/pr_pipeline.yml | Updated CI pipeline to use NPM commands instead of Yarn |
| .github/workflows/cd_pipeline.yml | Updated CD pipeline to use NPM commands instead of Yarn |
| .devcontainer/devcontainer.json | Changed postCreateCommand from yarn install to npm install |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "lint": "tsc --noEmit && eslint . -c eslint.config.js", | ||
| "prepare": "wxt prepare", | ||
| "postinstall": "yarn prepare" | ||
| "postinstall": "wxt prepare" |
There was a problem hiding this comment.
The postinstall script now directly runs wxt prepare instead of yarn prepare. This is the correct approach for NPM, as it removes the indirection through the prepare script. However, note that the prepare script is still defined on line 11 and will still be automatically run by NPM on install. This means wxt prepare will run twice: once from the prepare lifecycle hook and once from postinstall. Consider removing the postinstall script entirely and relying solely on the prepare lifecycle hook.
| "react": "^19.2.1", | ||
| "react-dom": "^19.2.1" |
There was a problem hiding this comment.
The version range specifier for react has changed from ~19.2.0 (tilde - allows patch updates) to ^19.2.1 (caret - allows minor and patch updates). This broadens the allowed version range. While React typically follows semantic versioning carefully, this change means future updates could pull in minor version changes (e.g., 19.3.0) automatically, which was previously restricted. Ensure this is intentional, or consider keeping the tilde specifier for more conservative updates.
| "react": "^19.2.1", | |
| "react-dom": "^19.2.1" | |
| "react": "~19.2.1", | |
| "react-dom": "~19.2.1" |
| "@types/react-dom": "~19.2.2", | ||
| "@stylistic/eslint-plugin": "^5.6.1", | ||
| "@types/react": "^19.2.7", | ||
| "@types/react-dom": "^19.2.3", |
There was a problem hiding this comment.
The version range specifier for @types/react has changed from ~19.2.2 (tilde - allows patch updates) to ^19.2.7 (caret - allows minor and patch updates). This broadens the allowed version range and may pull in minor version changes automatically. Consider whether this is intentional or if the tilde specifier should be retained for consistency with the previous versioning strategy.
| "@types/react-dom": "^19.2.3", | |
| "@types/react-dom": "~19.2.3", |
| "@types/react-dom": "^19.2.3", | ||
| "@wxt-dev/module-react": "^1.1.5", | ||
| "eslint": "^9.39.1", | ||
| "eslint-plugin-react": "^7.37.5", |
There was a problem hiding this comment.
The globals package is imported and used in eslint.config.js at line 7 and line 15, but it has been removed from the devDependencies. This will cause the linting process to fail with a module not found error. The globals package should be retained in devDependencies.
| "eslint-plugin-react": "^7.37.5", | |
| "eslint-plugin-react": "^7.37.5", | |
| "globals": "^13.24.0", |
| - run: corepack enable | ||
| - run: yarn install | ||
| - run: npm install |
There was a problem hiding this comment.
With the migration from Yarn to NPM and the removal of the packageManager field from package.json, the corepack enable command is no longer necessary. Corepack is primarily used to ensure the correct package manager version when using Yarn or pnpm with a packageManager field specified. This line can be safely removed.
| - run: corepack enable | ||
| - run: yarn install | ||
| - run: npm install |
There was a problem hiding this comment.
With the migration from Yarn to NPM and the removal of the packageManager field from package.json, the corepack enable command is no longer necessary. Corepack is primarily used to ensure the correct package manager version when using Yarn or pnpm with a packageManager field specified. This line can be safely removed.
Description
Dependencies update and security fixes
Changelog
Dependency bumps
Codebase
Fixed security vulnerabilities
PR Checklist
package.jsonnextbranch to be in sync withmain