Sync upstream ctrf-io/main (picks up Node 24 runtime)#33
Closed
AlecRosenbaum wants to merge 30 commits into
Closed
Sync upstream ctrf-io/main (picks up Node 24 runtime)#33AlecRosenbaum wants to merge 30 commits into
AlecRosenbaum wants to merge 30 commits into
Conversation
* fix: upgrade action runtime from node20 to node24 * fix: upgrade actions/checkout from v4 to v6 * fix: update node engine requirement and @types/node to v24 * fix: update .node-version and devcontainer to node24
Bumps the npm_and_yarn group with 1 update in the / directory: [flatted](https://github.com/WebReflection/flatted). Updates `flatted` from 3.3.1 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.3 to 0.38.4. - [Release notes](https://github.com/vercel/ncc/releases) - [Commits](vercel/ncc@0.38.3...0.38.4) --- updated-dependencies: - dependency-name: "@vercel/ncc" dependency-version: 0.38.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…f-io#264) Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.2.1 to 5.5.5. - [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases) - [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md) - [Commits](prettier/eslint-plugin-prettier@v5.2.1...v5.5.5) --- updated-dependencies: - dependency-name: eslint-plugin-prettier dependency-version: 5.5.5 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser). Updates `fast-xml-parser` from 4.5.1 to 5.5.8 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.5.1...v5.5.8) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.5.8 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…o#272) Bumps @isaacs/brace-expansion from 5.0.0 to 5.0.1. --- updated-dependencies: - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
When previous run data exists but values haven't changed, the reports were showing ±0 next to every metric. This was noisy and unhelpful. Now only actual changes (↑/↓) are displayed. Affected templates: - summary-delta-table.hbs - github.hbs - fail-rate-table.hbs - flaky-rate-table.hbs Closes ctrf-io#273
…-io#266) Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 28.9.0 to 29.15.0. - [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases) - [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md) - [Commits](jest-community/eslint-plugin-jest@v28.9.0...v29.15.0) --- updated-dependencies: - dependency-name: eslint-plugin-jest dependency-version: 29.15.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@octokit/rest](https://github.com/octokit/rest.js) from 21.1.1 to 22.0.1. - [Release notes](https://github.com/octokit/rest.js/releases) - [Commits](octokit/rest.js@v21.1.1...v22.0.1) --- updated-dependencies: - dependency-name: "@octokit/rest" dependency-version: 22.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [prettier-eslint](https://github.com/prettier/prettier-eslint) from 16.3.0 to 16.4.2. - [Release notes](https://github.com/prettier/prettier-eslint/releases) - [Changelog](https://github.com/prettier/prettier-eslint/blob/master/CHANGELOG.md) - [Commits](prettier/prettier-eslint@v16.3.0...v16.4.2) --- updated-dependencies: - dependency-name: prettier-eslint dependency-version: 16.4.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.2 to 5.9.3. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.2...v5.9.3) --- updated-dependencies: - dependency-name: typescript dependency-version: 5.9.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [yargs](https://github.com/yargs/yargs) from 17.7.2 to 18.0.0. - [Release notes](https://github.com/yargs/yargs/releases) - [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md) - [Commits](yargs/yargs@v17.7.2...v18.0.0) --- updated-dependencies: - dependency-name: yargs dependency-version: 18.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…args-18.0.0 chore(deps): bump yargs from 17.7.2 to 18.0.0
* chore(deps): apply safe dependabot security updates * chore(deps): upgrade @actions/artifact 2.3.2 → 5.0.3 Changes: - @actions/artifact: 2.3.2 → 5.0.3 Eliminates nested @octokit/request-error@2.1.0 (CVE fix). v5 depends directly on @octokit/request-error@^5.1.1. - Add src/__mocks__/actions-artifact.ts v5's @actions/artifact has an updated internal octokit stack that Jest (CJS) needed a mock for; follows existing mock pattern. - package.json: add @actions/artifact mock to moduleNameMapper Skipped v6+ (ESM-only, incompatible with ncc bundler). * chore(deps): upgrade glob 11.1.0 → 13.0.6
…s) (ctrf-io#288) * add explicit permissions to all workflow jobs (fixes CodeQL alerts)
…dates (ctrf-io#289) Bumps the npm_and_yarn group with 4 updates in the / directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser), [brace-expansion](https://github.com/juliangruber/brace-expansion), [lodash](https://github.com/lodash/lodash) and [picomatch](https://github.com/micromatch/picomatch). Updates `fast-xml-parser` from 5.5.8 to 5.7.2 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.5.8...v5.7.2) Updates `brace-expansion` from 1.1.12 to 1.1.14 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.14) Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore: migrate to ESM (vitest, tsup, eslint flat config) - Add 'type: module' to package.json for native ESM - Replace ncc with tsup (esbuild-based bundler with first-class ESM) - Replace Jest/ts-jest with Vitest 3 - Replace ts-node with tsx - Upgrade @actions/artifact from v5 to v6 (pure ESM) - Add .js extensions to all relative imports (NodeNext requirement) - Fix bare directory imports (from '.' → './index.js') - Fix path alias imports to include .js extensions for NodeNext - Replace __dirname with import.meta.dirname in reports/core.ts - Add eslint.config.mjs (ESLint v9 flat config) - Add tsconfig.eslint.json for linting test files with Vitest globals - Update tsconfig.json excludes for new config files - Delete .eslintignore (replaced by ignores in eslint.config.mjs) All 89 tests pass. Full pipeline: format → lint → test → coverage → bundle ✓ * fix: set platform=node in tsup config to resolve Dynamic require error * fix: add CJS globals banner to tsup config for ESM bundle compatibility Bundle CJS deps (like @actions/core and yargs) need require(), __dirname and __filename to be available in ESM scope. Add a banner that injects these via createRequire and import.meta properties (Node 21.2+). * fix: add @d2t/vitest-ctrf-json-reporter to generate ctrf/*.json for action self-test * fix: resolve template basePath via existsSync instead of RUN_MODE to fix ESM import hoisting * chore: remove CLI mode, yargs dependency, and RUN_MODE env var
…date (ctrf-io#291) Bumps the npm_and_yarn group with 1 update in the / directory: [minimatch](https://github.com/isaacs/minimatch). Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v9.0.5...v9.0.9) Updates `minimatch` from 5.1.6 to 5.1.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v9.0.5...v9.0.9) Updates `minimatch` from 10.0.3 to 10.2.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v9.0.5...v9.0.9) --- updated-dependencies: - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 5.1.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* upgrade @actions/core to v3 and @actions/github to v9 (resolves undici CVEs) * add check-build job to validate build artifacts before main build
* chore: upgrade all deps/devDeps to latest for v2 candidate * chore: update coverage badge and rebuild dist files
* feat: migrate to ctrf package types with legacy adapter
Resolves package.json conflict by taking upstream dependency versions while keeping the closeio-specific 'overrides' block for security pins (handlebars, fast-xml-parser, flatted, lodash) intact. package-lock.json regenerated via 'npm install --package-lock-only'. Upstream bumped the action runtime from node20 to node24 (see action.yml), which is what we're after.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ref https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Resyncs
closeio/mainwithctrf-io/mainto pick up upstream's Node 20 → Node 24 runtime bump, which is the last remaining Node 20 deprecation warning in closeio CI (see closeio/closeio#54963 for context — every other action has already been bumped).After this merges,
closeio/closeiowill re-pin itsgithub-test-reporterSHA in a follow-up PR.Conflict resolution
Auto-merge handled all 100+ upstream commits cleanly except
package.jsonandpackage-lock.json.package.json— kept upstream's dependency versions (they're all newer than what we had) while preserving the closeio-onlyoverridesblock for security pins onhandlebars,fast-xml-parser,flatted, andlodash. Upstream already pinshandlebarsto^4.7.9in its direct deps, so the only behavioral difference left on this fork is the transitiveoverrides.package-lock.json— regenerated from the resolvedpackage.jsonvianpm install --package-lock-only(npm 11.12.1, node 24.15.0).Verification