chore: update NPM dev-deps

[justlevine]

What?

Closes

Manually updates NPM devDependencies to their latest compatible versions.

Why?

It seems the package-lock.json file drifted again to NPM@11, causing dependabot failures.

How?

Used ncu (which respects .npmrc age) to determine the available versions. Once chosen.

nvm use # ensure that NPMv10.9.4 is used
npm install
npm audit fix

• @wordpress/scripts was left at ^32.3.0 and @wordpress/e2e-test-utils-playwright was pinned to 1.46.0, since later versions break compatibility with non-gutenberg repos, and a bugfix has yet to be published:

  See

  • @wordpress/e2e-test-utils-playwright gives error "Stripping types is currently unsupported for files under node_modules" gutenberg#79018
  • @wordpress/e2e-test-utils-playwright no longer works in Playwright for non-Gutenberg projects gutenberg#78963

• @wordpress/* production dependencies were not updated. Most (if not all) of these are stripped out and served by WordPress, keeping them at the versions shipped with WordPress prevents us shipping regressions.

Use of AI Tools

None

Testing Instructions

1. Run npm ci and confirm dependencies install
2. Run npm run build and confirm the frontend assests still build correctly
3. npm run wp-env:test start && npm run test:e2e to ensure frontend tests still pass.

Screenshots or screencast

Before	After

Changelog Entry

Added - New feature.
Changed - Existing functionality.
Deprecated - Soon-to-be removed feature.
Removed - Feature.
Fixed - Bug fix.
Security - Vulnerability.
Developer - Development related updates.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: justlevine <justlevine@git.wordpress.org>
Co-authored-by: dkotter <dkotter@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[justlevine]

The newly caught ESLint issue is fixed in #713

[dkotter]

It seems the package-lock.json file drifted again to NPM@11, causing dependabot failures.

Not sure on this one as I'm running npm version 10.9.8 so not sure what is causing these failures.

That said, changes look fine to me here, noting we do have a failing test due to wp-env not being able to spin up, though seems unrelated to changes here

[justlevine]

wp-env not being able to spin up, though seems unrelated to changes here

Technically wordpress/env was bumped here, but spinup with xdebug is working locally (and in other GH-based CIs), so I think you're correct and it's just a temporary server issue. Not seeing anything in the package diff either.

If you want I can drop it back to 11.8 -> 11.4 and let dependabot catch and bump it.

Not sure on this one as I'm running npm version 10.9.8 so not sure what is causing these failures.

That would cover 4946070, but maybe not #647 ?

If after this is merged dependabot is still struggling (or if we don't want to be policing other folks PRs that add new deps), then I guess next step would be to either bump to node24 or lock to ^22. and switch to absolute version pinning.

[justlevine]

wp-env not being able to spin up, though seems unrelated to changes here

Technically wordpress/env was bumped here, but spinup with xdebug is working locally (and in other GH-based CIs), so I think you're correct and it's just a temporary server issue. Not seeing anything in the package diff either.

If you want I can drop it back to 11.8 -> 11.4 and let dependabot catch and bump it.

Pinning at 11.4 fixed it: https://github.com/WordPress/ai/actions/runs/27426863749/job/81066790918?pr=712

(The other failing test is a timeout issue and will work when the workflow is retriggered).

IMO this is good to merge and we'll see both if dependabot npm updates are working again and if there's a real issue in @wordpress/env:>11.4 as soon as the next PR autogenerates.