Skip to content

Bump globals from 11.12.0 to 17.4.0#844

Open
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/globals-17.4.0
Open

Bump globals from 11.12.0 to 17.4.0#844
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/globals-17.4.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 16, 2026
edited
Loading

Bumps globals from 11.12.0 to 17.4.0.

Release notes

Sourced from globals's releases.

v17.4.0

  • Update globals (2026-03-01) (#338) d43a051

sindresorhus/globals@v17.3.0...v17.4.0

v17.3.0

  • Update globals (2026-02-01) (#336) 295fba9

sindresorhus/globals@v17.2.0...v17.3.0

v17.2.0

  • jasmine: Add throwUnless and throwUnlessAsync globals (#335) 97f23a7

sindresorhus/globals@v17.1.0...v17.2.0

v17.1.0

  • Add webpack and rspack globals (#333) 65cae73

sindresorhus/globals@v17.0.0...v17.1.0

v17.0.0

Breaking

  • Split audioWorklet environment from browser (#320) 7bc293e

Improvements

  • Update globals (#329) ebe1063
  • Get all browser globals from both chrome and firefox (#321) 59ceff8
  • Add bunBuiltin environment (#324) 1bc6e3b
  • Add denoBuiltin environment (#324) 1bc6e3b
  • Add paintWorklet environment (#323) 4b78f56
  • Add sharedWorker environment (#322) 4a02a85

sindresorhus/globals@v16.5.0...v17.0.0

v16.5.0

  • Update globals (2025-11-01) (#316) 6d441ca
  • Add Vue, Svelte, and Astro globals (#314) ea31521

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 16, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 16, 2026 07:54
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 16, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 16, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 362c96a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 16, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated

Confidence: 0.96

Location: Package overview

From: pnpm-lock.yamlnpm/@react-native/debugger-frontend@0.76.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.76.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm caniuse-lite under CC-BY-4.0

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE)

From: pnpm-lock.yamlnpm/@babel/core@7.29.0npm/caniuse-lite@1.0.30001695

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001695. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm caniuse-lite under CC-BY-4.0

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE)

From: pnpm-lock.yamlnpm/caniuse-lite@1.0.30001777

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001777. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/globals-17.4.0 branch from fa255f6 to 6667de7 Compare March 17, 2026 09:43
@dependabot
Bump globals from 11.12.0 to 17.4.0
f50ae7f 
Bumps [globals](https://github.com/sindresorhus/globals) from 11.12.0 to 17.4.0.
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](sindresorhus/globals@v11.12.0...v17.4.0)

---
updated-dependencies:
- dependency-name: globals
  dependency-version: 17.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/globals-17.4.0 branch from 6667de7 to f50ae7f Compare April 2, 2026 18:40
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​jsdom@​21.1.61001007484100
Added@​types/​react-dom@​18.2.171001007586100
Added@​react-navigation/​bottom-tabs@​7.2.110010075100100
Added@​react-navigation/​native@​7.0.151001007699100
Added@​types/​applepayjs@​14.0.91001007680100
Added@​web-std/​file@​1.1.01001008276100
Added@​types/​googlepay@​0.7.101001007683100
Added@​types/​jest@​28.1.81001007781100
Added@​types/​react@​18.3.181001007988100
Addeddel-cli@​5.1.01001007981100
Addedcrc-32@​1.2.210010010080100
Added@​types/​node@​24.10.101001008194100
Addedcredit-card-type@​9.1.010010010081100
Addedcard-validator@​8.1.110010010081100
Addedconcurrently@​8.2.29910010083100
Added@​vitejs/​plugin-basic-ssl@​2.1.4971008390100
Added@​rollup/​plugin-node-resolve@​16.0.09810010085100
Added@​rollup/​plugin-typescript@​12.1.29910010086100
Addedasn1js@​3.0.610010010089100
Addedasn1js@​3.0.710010010089100
Added@​swc/​core@​1.4.119210010096100
Added@​vitejs/​plugin-react@​4.7.09910010093100
Added@​peculiar/​webcrypto@​1.5.0991009894100
Added@​testing-library/​react-native@​13.2.09910010099100
Added@​playwright/​test@​1.57.010010010099100

View full report

@matt-evervault Claude
Copy link
Copy Markdown
Contributor

matt-evervault commented May 7, 2026

Review summary

Reviewed this bump end-to-end. Safe to merge — no code changes required.

Usage in this repo

globals has exactly one direct consumer: packages/eslint-config-custom/browser.js, which only reads globals.browser for the ESLint flat-config languageOptions.globals. The react.js config inherits this via browser.js. No other package.json declares globals as a direct dependency.

(Note: although the PR title says "11.12.0 to 17.4.0", the catalog specifier was already ^15.10.0 resolving to 15.14.0. The remaining 11.12.0 in the lockfile is a transitive of @babel/plugin-transform-classes and is unaffected by this bump.)

Changelog impact (15.14 → 17.4.0)

The only relevant breaking change is v17.0.0, which split the audioWorklet environment out of browser. The following identifiers were removed from globals.browser:

AudioWorkletGlobalScope, AudioWorkletProcessor, PaintWorkletGlobalScope, WorkletGlobalScope, registerProcessor, currentFrame, currentTime, sampleRate, port

Grepped the repo for all of these across *.js/ts/tsx/mjs/cjszero matches, so there is no risk of no-undef regressions for our code. Other 16.x/17.x changes (serviceworker regen, added Vue/Svelte/Astro/webpack/rspack/jasmine globals) are additive and don't affect browser.

Security check

Dependabot flagged the new prepare script in 17.4.0. Verified the published tarball's files field only includes index.js, index.d.ts, globals.json — no scripts ship with the package. prepare is for the publisher's own build workflow; it does not run when consumers install from the npm registry. No supply-chain concerns; same publisher as before, the module is purely a JSON data file with a one-line CommonJS wrapper.

Local verification

Ran on the dependabot branch with the new lockfile:

  • pnpm install --frozen-lockfile — clean
  • pnpm lint — clean (only pre-existing react-hooks/exhaustive-deps warnings unrelated to this bump)
  • pnpm build — passed for all @evervault/* packages
  • pnpm typecheck — passed for all @evervault/* packages
  • Runtime sanity: confirmed globals.browser exists in 17.4.0 with 1170 entries

Changes pushed

None. The dependabot diff is sufficient as-is.

Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matt-evervault