build(deps-dev): bump lint-staged from 15.2.0 to 16.2.6#1294
build(deps-dev): bump lint-staged from 15.2.0 to 16.2.6#1294dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from 15.2.0 to 16.2.6. - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](lint-staged/lint-staged@v15.2.0...v16.2.6) --- updated-dependencies: - dependency-name: lint-staged dependency-version: 16.2.6 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details. |
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR upgrades lint-staged from 15.2.0 to 16.2.6 and includes many transitive dependency updates in package-lock.json. Codacy/Trivy flagged a medium-severity vulnerable dependency (micromatch 4.0.4) which this bump addresses by moving micromatch to 4.0.8. Most changes are dependency metadata updates (versions, engines, licenses). Key risks: dependency compatibility (node engine minimums raised in several packages) and one reported security finding was fixed. Recommend verifying CI/node versions and running tests locally/CI before merging.
Security: Codacy (Trivy) reported micromatch@4.0.4 (CVE-2024-4067). This PR upgrades micromatch to 4.0.8 via lint-staged bump — that addresses the flagged medium severity vulnerability. Good to run a dependency-audit (npm audit / Snyk) as a double-check.
Platform compatibility: Several packages raised their minimal Node engine (e.g. lint-staged -> node >=20.17, nano-spawn, commander, listr2, etc.). Ensure CI and developer environments run a compatible Node version or pin versions appropriately.
Test & CI: Many dev deps changed and some packages changed transitive deps (emoji-regex, ansi-regex, strip-ansi, string-width, etc.). Run full test suite and your precommit flows (husky/lint-staged) in CI to catch runtime/behavioral regressions.
| "eslint-plugin-unused-imports": "^3.0.0", | ||
| "husky": "^8.0.3", | ||
| "lint-staged": "^15.2.0", | ||
| "lint-staged": "^16.2.6", |
There was a problem hiding this comment.
You added lint-staged@16.2.6 in package.json — this upgrade pulls newer transitive deps and raises Node engine requirements. Confirm CI/node versions or constrain the upgrade if you need to support older Node versions.
| "node_modules/micromatch": { | ||
| "version": "4.0.2", | ||
| "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz", | ||
| "integrity": "sha512-y7FpHSbMUMoyPbYUSzO6PaZ6FyRnQOpHuKwbo1G+Knck95XVU4QAiKdGEnj5wwoS7PlOgthX/09u5iFJ+aYf5Q==", | ||
| "dev": true, | ||
| "version": "4.0.8", | ||
| "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", | ||
| "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "braces": "^3.0.1", | ||
| "picomatch": "^2.0.5" | ||
| "braces": "^3.0.3", | ||
| "picomatch": "^2.3.1" | ||
| }, |
There was a problem hiding this comment.
package-lock.json still contained micromatch@4.0.4 under fast-glob previously; I see micromatch bumped to 4.0.8 in the lockfile — this resolves the Trivy medium-severity finding (CVE-2024-4067). Good — ensure npm audit shows no remaining critical/medium issues.
| }, | ||
| "engines": { | ||
| "node": ">=18.12.0" | ||
| "node": ">=20.17" |
There was a problem hiding this comment.
Many packages now require newer Node engines (examples: lint-staged node >=20.17, listr2 node >=20.0.0, nano-spawn node >=20.17). If your CI or contributors use older Node, test locally or adapt engine fields/CI images.
| "version": "6.2.2", | ||
| "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz", | ||
| "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==", | ||
| "dev": true, | ||
| "license": "MIT", | ||
| "engines": { | ||
| "node": ">=12" | ||
| }, | ||
| "funding": { | ||
| "url": "https://github.com/chalk/ansi-regex?sponsor=1" | ||
| } | ||
| }, | ||
| "node_modules/log-update/node_modules/ansi-styles": { | ||
| "version": "6.2.1", | ||
| "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", | ||
| "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", | ||
| "dev": true, | ||
| "engines": { | ||
| "node": ">=12" | ||
| }, | ||
| "funding": { | ||
| "url": "https://github.com/chalk/ansi-styles?sponsor=1" | ||
| } | ||
| }, | ||
| "node_modules/log-update/node_modules/emoji-regex": { | ||
| "version": "10.3.0", | ||
| "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.3.0.tgz", | ||
| "integrity": "sha512-QpLs9D9v9kArv4lfDEgg1X/gN5XLnf/A6l9cs8SPZLRZR3ZkY9+kwIQTxm+fsSej5UMYGE8fdoaZVIBlqG0XTw==", | ||
| "dev": true | ||
| }, | ||
| "node_modules/log-update/node_modules/is-fullwidth-code-point": { | ||
| "version": "5.0.0", | ||
| "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-5.0.0.tgz", | ||
| "integrity": "sha512-OVa3u9kkBbw7b8Xw5F9P+D/T9X+Z4+JruYVNapTjPYZYUznQ5YfWeFkOj606XYYW8yugTfC8Pj0hYqvi4ryAhA==", | ||
| "version": "10.6.0", | ||
| "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz", | ||
| "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==", | ||
| "dev": true, | ||
| "dependencies": { | ||
| "get-east-asian-width": "^1.0.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=18" | ||
| }, | ||
| "funding": { | ||
| "url": "https://github.com/sponsors/sindresorhus" | ||
| } | ||
| }, | ||
| "node_modules/log-update/node_modules/slice-ansi": { | ||
| "version": "7.1.0", | ||
| "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-7.1.0.tgz", | ||
| "integrity": "sha512-bSiSngZ/jWeX93BqeIAbImyTbEihizcwNjFoRUIY/T1wWQsfsm2Vw1agPKylXvQTU7iASGdHhyqRlqQzfz+Htg==", | ||
| "dev": true, | ||
| "dependencies": { | ||
| "ansi-styles": "^6.2.1", | ||
| "is-fullwidth-code-point": "^5.0.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=18" | ||
| }, | ||
| "funding": { | ||
| "url": "https://github.com/chalk/slice-ansi?sponsor=1" | ||
| } | ||
| "license": "MIT" | ||
| }, | ||
| "node_modules/log-update/node_modules/string-width": { | ||
| "version": "7.0.0", | ||
| "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.0.0.tgz", | ||
| "integrity": "sha512-GPQHj7row82Hjo9hKZieKcHIhaAIKOJvFSIZXuCU9OASVZrMNUaZuz++SPVrBjnLsnk4k+z9f2EIypgxf2vNFw==", | ||
| "version": "7.2.0", | ||
| "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz", | ||
| "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==", | ||
| "dev": true, |
There was a problem hiding this comment.
This update replaces older ansi/ansi-regex/ansi-styles/strip-ansi/string-width/emoji-regex variants across the lockfile. These changes can affect terminal output formatting; run interactive commands (precommit hooks) and CLI flows to validate behavior.
| "version": "5.1.0", | ||
| "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-5.1.0.tgz", | ||
| "integrity": "sha512-oMA2dcrw6u0YfxJQXm342bFKX/E4sG9rbTzO9ptUcR/e8A33cHuvStiYOwH7fszkZlZ1z/ta9AAoPk2F4qIOHA==", | ||
| "dev": true, | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "onetime": "^5.1.0", | ||
| "signal-exit": "^3.0.2" | ||
| "onetime": "^7.0.0", | ||
| "signal-exit": "^4.1.0" | ||
| }, | ||
| "engines": { | ||
| "node": "^12.20.0 || ^14.13.1 || >=16.0.0" | ||
| }, | ||
| "funding": { | ||
| "url": "https://github.com/sponsors/sindresorhus" | ||
| } | ||
| }, | ||
| "node_modules/restore-cursor/node_modules/mimic-fn": { | ||
| "version": "2.1.0", | ||
| "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz", | ||
| "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==", | ||
| "dev": true, | ||
| "engines": { | ||
| "node": ">=6" | ||
| } | ||
| }, | ||
| "node_modules/restore-cursor/node_modules/onetime": { | ||
| "version": "5.1.2", | ||
| "resolved": "https://registry.npmjs.org/onetime/-/onetime-5.1.2.tgz", | ||
| "integrity": "sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==", | ||
| "dev": true, | ||
| "dependencies": { | ||
| "mimic-fn": "^2.1.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=6" | ||
| "node": ">=18" | ||
| }, |
There was a problem hiding this comment.
Restored/updated packages (restore-cursor, onetime, mimic-function, etc.) bump engines to newer Node versions. Confirm transitive change doesn't break other dev scripts that run under older Node.
Bumps lint-staged from 15.2.0 to 16.2.6.
Release notes
Sourced from lint-staged's releases.
... (truncated)
Changelog
Sourced from lint-staged's changelog.
... (truncated)
Commits
a1ec972chore(changeset): releaseddd5340build(deps): regenerate package-lock.jsonceb253abuild(deps): update Vitest 458cc126build(deps): update listr233d4502fix: run all tasks when --continue-on-error=true54ba9ebtest: fix test usage for--continue-on-errorb1715d9test: fix test assertions for--continue-on-errorto reveal incorrect behavior1f6a326chore(changeset): release6ab937cci: use separate caches for MSYS2 and Cygwin6d71384fix: catch errors when calling spawnMaintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lint-staged since your current version.
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)