Skip to content

chore: dependency and build toolchain updates#90

Merged
nawforce merged 4 commits into
mainfrom
chore/dependency-updates
Apr 23, 2026
Merged

chore: dependency and build toolchain updates#90
nawforce merged 4 commits into
mainfrom
chore/dependency-updates

Conversation

@kjonescertinia

@kjonescertinia kjonescertinia commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Umbrella dep/hygiene PR covering four slices:

  1. npm devDependencies + GitHub Actions — bump npm-side tooling (eslint 9.39, jest 30.3, typescript 5.9.3, typescript-eslint 8.59, prettier 3.8, prettier-plugin-java 2.8, plus root lint-staged / patch-package / @types/node). Tighten engines.node to ^20.19.0 || ^22.13.0 || >=24 to match what newer eslint transitives actually require. Bump actions/checkout@v6, setup-node@v6, setup-java@v5 ahead of the June 2026 Node 20 deprecation.
  2. JVM build toolchain — JUnit 5.1.0 → 5.12.2 (also switched to the junit-jupiter aggregator artifact), surefire 2.22.1 → 3.5.5, plus compiler/jar/source/gpg/javadoc/dependency plugin bumps. Switch compiler config from <source>/<target>1.8</source> to <release>8</release> and add <source>8</source> to javadoc config — clears two longstanding warnings the newer plugins surface.
  3. Dependabot enabled for both npm manifests, both maven poms, and github-actions. Minor/patch bumps grouped per-ecosystem to keep PR volume low.
  4. Collateral tidy-ups — prettier-plugin-java 2.8 reformatted 4 .java files (whitespace only); an eslint-disable-next-line preserves the ApexParseTreeWalker.DEFAULT narrow type under typescript-eslint 8.59's stricter no-unnecessary-type-assertion rule; jest 30.3 refreshed the snapshot file header URL.

Out of scope (flagged for future)

  • Root npm audit still reports 7 dev-only lodash-chain moderates via prettier-plugin-java → chevrotain. Deliberately not patched — dev-only, not in the published package. Can add an ignore: block to the dependabot config later if PR noise is an issue.
  • antlr4@4.13.2 (the only runtime dep) is unchanged — no newer release on npm, and the local antlr4+4.13.2.patch for ESM import extensions still applies cleanly.

Test plan

  • npm run build:npm — 74/74 unit tests pass
  • mvn -f jvm package — 73/73 JVM tests pass, all three jars built (main, sources, javadoc), zero warnings
  • npm run lint in npm/ — clean
  • prettier --check on .java — clean
  • npm audit in npm/ — 0 vulnerabilities
  • System tests (npm run systest) — run locally
  • CI Build workflow passes under the new actions versions

@kjonescertinia
chore: bump npm devDependencies and GitHub Actions for Node 24 readiness
123712d 
Updates npm-side devDependencies and tightens engines to match what newer
eslint transitives require (^20.19.0 || ^22.13.0 || >=24). Also bumps
actions/checkout, actions/setup-node, and actions/setup-java to majors
running on Node 24, ahead of the June 2026 deprecation deadline.

- Root: lint-staged 16.4, prettier 3.8, prettier-plugin-java 2.8
- npm/: eslint 9.39, jest 30.3, typescript 5.9.3, typescript-eslint 8.59,
  patch-package 8.0.1, @types/node 22.19
- Workflows: checkout@v6, setup-node@v6, setup-java@v5
- Reformat .java files under prettier-plugin-java 2.8 (whitespace only)
- Preserve ApexParseTreeWalker.DEFAULT narrow type with eslint-disable
  for the now-stricter no-unnecessary-type-assertion rule
@kjonescertinia
chore: bump Maven plugins and JUnit to current stable versions
983dc6a 
Brings the JVM build toolchain up to date. JUnit also switches from the
engine-only artifact to the junit-jupiter aggregator (api + params +
engine), which is the current best-practice form.

- junit-jupiter-engine 5.1.0 -> junit-jupiter 5.12.2
- maven-surefire-plugin 2.22.1 -> 3.5.5
- maven-compiler-plugin 3.5.1 -> 3.15.0
- maven-jar-plugin 3.0.2 -> 3.5.0
- maven-source-plugin 2.2.1 -> 3.4.0
- maven-gpg-plugin 3.0.1 -> 3.2.8
- maven-javadoc-plugin 3.3.0 -> 3.12.0
- maven-dependency-plugin: pin to 3.10.0 (was unversioned)

Also switch compiler config from <source>/<target>1.8</source> to
<release>8</release> (clears a bootstrap-classpath warning and prevents
accidental use of post-8 APIs), and add <source>8</source> to javadoc
config to silence the JDK-module cross-link warning.
@kjonescertinia
chore: enable Dependabot for npm, maven, and github-actions
2d71f61 
Covers both npm manifests, both maven poms, and the workflow files.
Minor and patch bumps per ecosystem are grouped into a single weekly
PR to keep churn down; major bumps come through as individual PRs so
they get reviewed on their own.

Commit prefix is set to "chore(deps):" to match the existing convention.
@kjonescertinia
chore: refresh jest snapshot header after jest 30.3 bump
89ed1f4 
Jest 30.3 updated the URL embedded in the snapshot file header
(goo.gl/fbAQLP -> jestjs.io/docs/snapshot-testing). One-time cosmetic
change picked up by the system test run.
@kjonescertinia kjonescertinia requested a review from nawforce April 23, 2026 14:22
@nawforce nawforce merged commit 3ade822 into main Apr 23, 2026
1 check passed
@nawforce nawforce deleted the chore/dependency-updates branch April 23, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nawforce nawforce nawforce approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kjonescertinia @nawforce