Skip to content

chore(deps): bump @rushstack/heft from 0.74.5 to 1.2.9#29

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/rushstack/heft-1.2.9
Closed

chore(deps): bump @rushstack/heft from 0.74.5 to 1.2.9#29
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/rushstack/heft-1.2.9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 3, 2026
edited
Loading

Bumps @rushstack/heft from 0.74.5 to 1.2.9.

Changelog

Sourced from @​rushstack/heft's changelog.

1.2.9

Wed, 01 Apr 2026 15:13:38 GMT

Version update only

1.2.8

Tue, 31 Mar 2026 15:14:14 GMT

Version update only

1.2.7

Mon, 09 Mar 2026 15:14:08 GMT

Version update only

1.2.6

Wed, 25 Feb 2026 21:39:42 GMT

Version update only

1.2.5

Wed, 25 Feb 2026 00:34:29 GMT

Version update only

1.2.4

Tue, 24 Feb 2026 01:13:27 GMT

Version update only

1.2.3

Mon, 23 Feb 2026 00:42:21 GMT

Version update only

1.2.2

Fri, 20 Feb 2026 16:14:49 GMT

Version update only

1.2.1

Fri, 20 Feb 2026 00:15:04 GMT

Patches

  • Add "node" condition before "import" in the "exports" map so that Node.js uses the CJS output (which handles extensionless imports), while bundlers still use ESM via "import". Fixes microsoft/rushstack#5644.

1.2.0

Thu, 19 Feb 2026 00:04:52 GMT

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump @rushstack/heft from 0.74.5 to 1.2.9
d994bcc 
Bumps [@rushstack/heft](https://github.com/microsoft/rushstack/tree/HEAD/apps/heft) from 0.74.5 to 1.2.9.
- [Changelog](https://github.com/microsoft/rushstack/blob/main/apps/heft/CHANGELOG.md)
- [Commits](https://github.com/microsoft/rushstack/commits/@rushstack/heft_v1.2.9/apps/heft)

---
updated-dependencies:
- dependency-name: "@rushstack/heft"
  dependency-version: 1.2.9
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file 🔗 javascript Pull requests that update javascript code labels Apr 3, 2026
@dependabot dependabot Bot mentioned this pull request Apr 3, 2026
Closed
@esacteksab
Copy link
Copy Markdown
Owner

esacteksab commented Apr 6, 2026

@copilot review this PR by looking at the commits from rushstack/heft between releases of rushstack/heft to better understand the impact this upgrade could have on the existing codebase. Provide a summary of heft's role in this source code. Is this upgrade necessary? Does this upgrade address any security vulnerabilities? Are there any tests that could exist to verify this upgrade or any future upgrades of this library won't break functionality?

Copy link
Copy Markdown

Copilot AI commented Apr 6, 2026

@copilot review this PR by looking at the commits from rushstack/heft between releases of rushstack/heft to better understand the impact this upgrade could have on the existing codebase. Provide a sum...

Here's a full analysis of this upgrade:

Role of @rushstack/heft in this codebase

@rushstack/heft is a build orchestration tool from Microsoft's Rush Stack, designed to run TypeScript compilation, Jest tests, ESLint, and other tasks in a configurable pipeline.

However, kai-vscode is a pure VS Code color theme extension — it contains only JSON theme files and no TypeScript/JavaScript source files that would need to be compiled or tested. Accordingly:

  • There are no heft configuration files (heft.json, config/heft/, etc.)
  • There are no npm scripts that invoke heft
  • The only reference to heft in the entire repository is the entry in package.json

In short, @rushstack/heft is an unused dependency in this project. It appears to have been added as a development/tooling convention but is never actually invoked.

What changed between 0.74.5 → 1.2.9?

The notable changes from the CHANGELOG are:

Version Change
0.75.0 Breaking: taskStart/taskFinish/phaseStart/phaseFinish hooks made synchronous
1.0.0 Formal v1.0.0 release (no new functional changes beyond the breaking items above)
1.1.0 Normalized built-in module imports to use node: protocol
1.2.0 Normalized package layout — CJS now under lib-commonjs, DTS under lib-dts, ESM under lib-esm
1.2.1 Fixed exports map so Node.js uses CJS and bundlers use ESM

All other intermediate versions were _Version update only_ (peer dependency bumps with no functional changes).

Is this upgrade necessary?

Not strictly — since heft is unused in this project, no functionality depends on it. That said, keeping a listed dependency up to date is reasonable hygiene. The more meaningful question is whether heft should be removed from package.json entirely, since it has no role in building or testing this extension.

Security vulnerabilities?

No known CVEs are associated with either @rushstack/heft@0.74.5 or @rushstack/heft@1.2.9 per the GitHub Advisory Database.

Tests to verify this (and future) upgrades

Because heft is not used in any build step for this project, there's no heft-specific behavior to test. For the extension itself, the most practical validation approach would be:

  1. Package the extension — run npx vsce package and confirm it produces a valid .vsix without errors. This exercises the actual extension packaging pipeline.
  2. Validate theme JSON files — add a lightweight check (e.g., node -e "require('./themes/esacteksab-kai-default.json')") to ensure the JSON files are well-formed. This would catch any accidental corruption introduced during dependency updates.
  3. Consider removing heft — since it's unused, removing it would eliminate this class of upgrade noise entirely. If it was added for future use, adding it back when actually needed (with a heft.json config) would make intent clearer.

A CI step that runs vsce package on every PR would be the most meaningful regression guard for this type of extension project.

Copilot AI requested a review from esacteksab April 6, 2026 19:29
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 7, 2026

Looks like @rushstack/heft is no longer a dependency, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 7, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/rushstack/heft-1.2.9 branch April 7, 2026 11:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esacteksab esacteksab Awaiting requested review from esacteksab

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file 🔗 javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@esacteksab