chore(deps): bump @rushstack/heft from 0.74.5 to 1.2.9#29
chore(deps): bump @rushstack/heft from 0.74.5 to 1.2.9#29dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [@rushstack/heft](https://github.com/microsoft/rushstack/tree/HEAD/apps/heft) from 0.74.5 to 1.2.9. - [Changelog](https://github.com/microsoft/rushstack/blob/main/apps/heft/CHANGELOG.md) - [Commits](https://github.com/microsoft/rushstack/commits/@rushstack/heft_v1.2.9/apps/heft) --- updated-dependencies: - dependency-name: "@rushstack/heft" dependency-version: 1.2.9 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
@copilot review this PR by looking at the commits from rushstack/heft between releases of rushstack/heft to better understand the impact this upgrade could have on the existing codebase. Provide a summary of heft's role in this source code. Is this upgrade necessary? Does this upgrade address any security vulnerabilities? Are there any tests that could exist to verify this upgrade or any future upgrades of this library won't break functionality? |
Here's a full analysis of this upgrade: Role of
|
| Version | Change |
|---|---|
| 0.75.0 | Breaking: taskStart/taskFinish/phaseStart/phaseFinish hooks made synchronous |
| 1.0.0 | Formal v1.0.0 release (no new functional changes beyond the breaking items above) |
| 1.1.0 | Normalized built-in module imports to use node: protocol |
| 1.2.0 | Normalized package layout — CJS now under lib-commonjs, DTS under lib-dts, ESM under lib-esm |
| 1.2.1 | Fixed exports map so Node.js uses CJS and bundlers use ESM |
All other intermediate versions were _Version update only_ (peer dependency bumps with no functional changes).
Is this upgrade necessary?
Not strictly — since heft is unused in this project, no functionality depends on it. That said, keeping a listed dependency up to date is reasonable hygiene. The more meaningful question is whether heft should be removed from package.json entirely, since it has no role in building or testing this extension.
Security vulnerabilities?
No known CVEs are associated with either @rushstack/heft@0.74.5 or @rushstack/heft@1.2.9 per the GitHub Advisory Database.
Tests to verify this (and future) upgrades
Because heft is not used in any build step for this project, there's no heft-specific behavior to test. For the extension itself, the most practical validation approach would be:
- Package the extension — run
npx vsce packageand confirm it produces a valid.vsixwithout errors. This exercises the actual extension packaging pipeline. - Validate theme JSON files — add a lightweight check (e.g.,
node -e "require('./themes/esacteksab-kai-default.json')") to ensure the JSON files are well-formed. This would catch any accidental corruption introduced during dependency updates. - Consider removing heft — since it's unused, removing it would eliminate this class of upgrade noise entirely. If it was added for future use, adding it back when actually needed (with a
heft.jsonconfig) would make intent clearer.
A CI step that runs vsce package on every PR would be the most meaningful regression guard for this type of extension project.
|
Looks like @rushstack/heft is no longer a dependency, so this is no longer needed. |
Bumps @rushstack/heft from 0.74.5 to 1.2.9.
Changelog
Sourced from
@rushstack/heft's changelog.... (truncated)
Commits
d9a40b4Bump versions [skip ci]71a39c9Update changelogs [skip ci]8740839Bump versions [skip ci]6861350Update changelogs [skip ci]bcf89c8chore: bump decoupled local dependencies (#5692)ee40f81Bump versions [skip ci]8a51049Update changelogs [skip ci]f8a668dchore: bump decoupled local dependencies (#5674)3b13f32Bump versions [skip ci]b8a4224Update changelogs [skip ci]Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)