Update dependencies

[vio]

Summary by CodeRabbit

• Chores
  • Updated CI workflows and actions to newer releases for more reliable and faster builds.
  • Upgraded development and test dependencies to recent versions, improving developer experience, build performance, and test stability.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Warning

Rate limit exceeded

@vio has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 19 minutes and 58 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 060fe61 and ba96e6f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

Walkthrough

This PR updates CI workflow action versions and development dependencies. In .github/workflows/ci.yml several actions are upgraded (notably relative-ci/.github/actions/setup-node-npm from v1.1.2 to v1.1.5, and upload/download-artifact actions bumped). In package.json devDependencies are bumped: @eslint/js 9.36.0→9.39.0, @rollup/plugin-typescript 12.1.4→12.3.0, @types/node 24.5.2→24.9.2, eslint 9.36.0→9.38.0, globals 16.4.0→16.5.0, memfs 4.46.1→4.50.0, rollup 4.52.2→4.52.5, typescript 5.9.2→5.9.3, typescript-eslint 8.44.1→8.46.2, and vitest 3.2.4→4.0.6. No API or exported/public declarations were changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Homogeneous version bumps across CI workflow and package manifest.
• Review attention:
  • .github/workflows/ci.yml — verify updated action versions maintain compatible inputs/outputs and runner behavior.
  • package.json — check for potential peer/dependency mismatches and ensure CI installs the updated lockfile; run tests locally/CI to surface regressions.

Possibly related PRs

• Update dependencies #307 — Modifies the same CI workflow and bumps upload/download-artifact action versions and devDependencies.
• Update dependencies #265 — Performs matching GitHub Action version updates and overlapping devDependency bumps.
• Update dependencies #211 — Updates the same CI action reference and several of the same devDependencies.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Update dependencies" directly and accurately summarizes the main changes in the changeset. Both modified files—.github/workflows/ci.yml and package.json—are focused on updating dependencies: CI workflow actions are updated to newer versions, and devDependencies in package.json are bumped across multiple tools. The title is concise, clear, and uses specific terminology ("dependencies") rather than vague language. A teammate reviewing the commit history would immediately understand that this PR updates project dependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript-eslint@​8.44.1 ⏵ 8.46.2	+1		+1
	vitest@​3.2.4 ⏵ 4.0.6	+1
	@​types/​node@​24.5.2 ⏵ 24.9.2	+1		+1
	globals@​16.4.0 ⏵ 16.5.0			+1	-4
	memfs@​4.46.1 ⏵ 4.50.0	+1		+1
	typescript@​5.9.2 ⏵ 5.9.3			+1
	@​rollup/​plugin-typescript@​12.1.4 ⏵ 12.3.0				+7
	@​eslint/​js@​9.36.0 ⏵ 9.39.0			+10
	eslint@​9.36.0 ⏵ 9.39.0	+1
	rollup@​4.52.2 ⏵ 4.52.5	+1			-1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm typescript under MIT-Khronos-old License: MIT-Khronos-old (package/ThirdPartyNoticeText.txt) License: CC-BY-4.0 (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement (package/ThirdPartyNoticeText.txt) From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report