Update minor dependencies

[cjbarth]

This updates minor dependencies only. This is mostly to pull in security fixes made in the node-saml base library.

Summary by CodeRabbit

• Chores
  • Added a new script to simplify updating project dependencies.
  • Upgraded multiple dependencies and development tools to enhance stability and compatibility.
  • Improved linting configuration with a new comprehensive ESLint setup targeting source and test files.
  • Refined TypeScript error handling in test comments for clearer developer guidance.

[coderabbitai]

Walkthrough

A new "update" script was added to the npm scripts in package.json, enabling use of npm-check-updates. Numerous dependencies and devDependencies were upgraded to newer versions, including both core and development packages, with several minor and major version bumps. The old ESLint configuration files .eslintrc.json and .eslintignore were removed and replaced by a new modular eslint.config.mjs that integrates multiple plugins and layered rules. A new tsconfig.eslint.json was added to focus ESLint on test files. Minor refinements were made to TypeScript error comments in tests and a catch block was simplified in src/strategy.ts.

Changes

File	Change Summary
package.json	Added "update" script; upgraded multiple dependencies and devDependencies to newer versions; added new ESLint plugins.
.eslintignore, .eslintrc.json	Deleted legacy ESLint config and ignore files.
eslint.config.mjs	Added new comprehensive ESLint configuration with layered plugins and rules for TypeScript, Mocha, Chai, and Prettier.
tsconfig.eslint.json	Added new TS config for ESLint targeting test files only.
src/strategy.ts	Simplified catch block in async verification function by removing unused error variable.
test/multiSamlStrategy.spec.ts	Refined TypeScript expect-error comments for method argument expectations.
test/strategy.spec.ts	Replaced generic ts-ignore comments with explicit ts-expect-error comments including explanations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

🐇 Dependencies hop, leap, and bound,
New scripts and configs all around!
ESLint’s fresh coat, tests well refined,
Catch blocks trimmed, errors defined.
Code’s in bloom, review’s a breeze—
A rabbit’s joy in updates, please! 🌿✨

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-07-24T15_18_54_509Z-debug-0.log

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40778be and 8f4fd77.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• .eslintignore (0 hunks)
• .eslintrc.json (0 hunks)
• eslint.config.mjs (1 hunks)
• package.json (1 hunks)
• src/strategy.ts (1 hunks)
• test/multiSamlStrategy.spec.ts (10 hunks)
• test/strategy.spec.ts (2 hunks)
• tsconfig.eslint.json (1 hunks)

💤 Files with no reviewable changes (2)

• .eslintignore
• .eslintrc.json

✅ Files skipped from review due to trivial changes (4)

• tsconfig.eslint.json
• test/strategy.spec.ts
• src/strategy.ts
• test/multiSamlStrategy.spec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

🔇 Additional comments (8)

eslint.config.mjs (8)

11-11: LGTM! Correct flat config structure.

The use of tseslint.config() and default export follows TypeScript ESLint flat config best practices.

Also applies to: 58-58

---

13-16: LGTM! Appropriate base configurations.

The selection of recommended, strict TypeScript, and Mocha configurations provides a solid foundation for linting.

---

17-22: LGTM! Consistent line ending enforcement.

Enforcing Unix line breaks across all files is a good practice for cross-platform consistency.

---

46-56: LGTM! Appropriate test file configuration.

The Mocha globals and Chai-friendly plugin setup is correct for test files. The empty rules object is fine since the base configurations provide the necessary rules.

---

57-57: LGTM! Correct Prettier integration.

Placing the Prettier configuration last with the explanatory comment is the recommended approach to prevent rule conflicts.

---

1-58: Excellent migration to ESLint flat config format.

This configuration successfully modernizes the ESLint setup with appropriate use of TypeScript ESLint flat config patterns. The layered approach, plugin integrations, and rule selections are well-considered for a TypeScript Node.js project with Mocha tests.

---

23-45: Verified tsconfig.eslint.json Presence

The tsconfig.eslint.json file exists at the project root and correctly extends the base tsconfig.json. No further action required.

---

7-7: Ignore the globalIgnores import concern

The globalIgnores helper is a valid export in ESLint’s flat config and is intended for defining project-wide ignore patterns. No changes are needed for this import.

• The ESLint documentation confirms globalIgnores from "eslint/config" is supported in flat configuration.

Likely an incorrect or invalid review comment.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

51-54: Consider aligning “update” vs. “update:*” scripts

You now have three flavours of the same command:

"update":        "npx npm-check-updates -du",
"update:major":  "npx npm-check-updates -i",
"update:minor":  "npx npm-check-updates -i -t minor",

update already updates all prod + dev deps, so the dedicated update:minor/update:major variants may lead to confusion for new contributors.

Two common clean-ups:

1. Keep only update and document the flags (-t minor|major) in README.
2. Rename update → update:patch (or similar) and make the triad explicit.

No functional defect, just a naming consistency / DX point.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 756d173 and 40778be.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

🔇 Additional comments (1)

package.json (1)

65-88: Major-version bumps — please run full CI to confirm no breaking changes slipped in

Several upgrades cross a major boundary (eslint 8→9, mocha 10→11, sinon 17→21, release-it 17→19, etc.). While tests may still pass locally, these tools often change CLIs or default behaviours that surface only in edge cases (e.g., eslint rule renames, Mocha’s watcher flags, Sinon’s fake timers).

Action items:

1. Verify npm run lint, npm test, npm run prerelease, npm run watch on fresh clone.
2. Check generated artifacts (dist, typings) still compile under typescript@5.8.
3. If you publish an alpha from this branch, install it into a sample project to ensure no peer-dependency warnings.

No immediate code change required, but please confirm before merging.

[coderabbitai]

🛠️ Refactor suggestion

Move @types/* packages to devDependencies to avoid bloating the runtime bundle

@types/express and @types/passport are compile-time–only artifacts and never required at runtime. Shipping them in dependencies:

• inflates the published tarball / install size,
• pulls in transitive type-only deps for downstream consumers,
• can break consumers that install with --production.

Proposed minimal fix:

@@ "dependencies": {
-    "@node-saml/node-saml": "^5.1.0",
-    "@types/express": "^4.17.23",
-    "@types/passport": "^1.0.17",
-    "@types/passport-strategy": "^0.2.38",
+    "@node-saml/node-saml": "^5.1.0",
+    "@types/passport-strategy": "^0.2.38" // keep ONLY if used at runtime
@@
 },
 "devDependencies": {
+    "@types/express": "^4.17.23",
+    "@types/passport": "^1.0.17",

(If @types/passport-strategy is also type-only, move it likewise.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"@node-saml/node-saml": "^5.1.0",
	"@types/express": "^4.17.23",
	"@types/passport": "^1.0.17",
	"@types/passport-strategy": "^0.2.38",
	"dependencies": {
	"@node-saml/node-saml": "^5.1.0",
	"@types/passport-strategy": "^0.2.38"
	},
	"devDependencies": {
	"@types/express": "^4.17.23",
	"@types/passport": "^1.0.17"
	// …other existing devDependencies…
	}

🤖 Prompt for AI Agents

In package.json around lines 57 to 60, the @types/express, @types/passport, and
@types/passport-strategy packages are incorrectly listed under dependencies but
should be moved to devDependencies because they are only needed at compile time.
To fix this, remove these @types packages from the dependencies section and add
them to the devDependencies section to prevent bloating the runtime bundle and
avoid issues for downstream consumers.

[cjbarth]

For anyone that may look here, this is bad advice. Since we export some types, we need to include them in dependencies so that users of this package will have the dependencies when they are using this library. The only thing we might consider is using peerDependencies, but support isn't universal for that yet.

[coderabbitai]

@cjbarth Thank you for the important clarification! You're absolutely right, and I appreciate you correcting that suggestion.

When a TypeScript library exports types that reference other @types/* packages, those type definitions become necessary for consumers during their own TypeScript compilation process. Moving them to devDependencies would indeed break the library for downstream users who rely on the exported types.

This is a great example of how the typical rule of "put @types in devDependencies" has important exceptions when building reusable TypeScript libraries that export type definitions.

---

✏️ Learnings added

Learnt from: cjbarth
PR: node-saml/passport-saml#961
File: package.json:57-60
Timestamp: 2025-07-24T18:05:18.700Z
Learning: In TypeScript libraries that export types referencing @types/* packages (like @types/express, @types/passport), these @types packages must remain in dependencies rather than devDependencies. This is because consumers of the library need these type definitions available during their own TypeScript compilation when using the exported types. Moving them to devDependencies would break the library for downstream users.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.