Skip to content

Update doctoc dependency version to 2.5.0#36328

Open
thompson-tomo wants to merge 1 commit into
microsoft:masterfrom
thompson-tomo:patch-1
Open

Update doctoc dependency version to 2.5.0#36328
thompson-tomo wants to merge 1 commit into
microsoft:masterfrom
thompson-tomo:patch-1

Conversation

@thompson-tomo

@thompson-tomo thompson-tomo commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Previous Behavior

Doctoc 2.0.1 is used which was released 5+ years ago

New Behavior

Latest version of doctoc is used which contains cve fixes, performance fixes & new functionality which could be utilised.

Related Issue(s)

  • Fixes #

@thompson-tomo thompson-tomo requested a review from a team as a code owner June 19, 2026 14:48
@tudorpopams tudorpopams self-requested a review June 24, 2026 12:09
@tudorpopams

tudorpopams commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Confidence Score: 72/100

A reasonable devDependency hygiene bump, but it changes package.json without regenerating yarn.lock, which will fail the repo's frozen-lockfile CI.

Findings

Blockers (must fix before merge)

  • yarn.lock is not updated alongside the bump. package.json:201 now requests doctoc@2.5.0, but yarn.lock still pins doctoc@2.0.1: (yarn.lock:8871) with its old transitive deps. CI runs yarn install --frozen-lockfile in .github/workflows/pr.yml (lines 49, 106, 133, 189) and ~9 other workflows; a frozen install fails when package.json and yarn.lock are out of sync. Fix: run yarn install locally and commit the regenerated yarn.lock.

Warnings (should address)

  • None.

Info (consider)

  • doctoc is only declared (package.json:201) — it isn't referenced by any npm script, tool, or skill, so it's an ad-hoc local TOC generator. The "CVE/perf" upside cited in the PR body applies only to dev-only tooling, not shipped package code.
  • .github/dependabot.yml already performs weekly devDependency minor bumps (versioning-strategy: increase), so this exact update would be automated with a correct lockfile. The manual PR is fine but duplicative.
  • The PR body's Related Issue(s): Fixes # is left blank, and the full build pipeline hasn't run yet (only label + license/cla checks are present — likely pending maintainer approval for an external contributor), so the frozen-lockfile failure hasn't surfaced in checks yet.

Category Breakdown

Category Status Notes
Change file PASS doctoc is a root devDependency; the root package.json is private — no beachball change file required.
V9 patterns PASS N/A — no component source touched.
Dep layers PASS Root devDependency; no cross-package dependency introduced.
SSR safety PASS N/A — no runtime source.
Testing PASS A devDependency version bump needs no tests.
API surface PASS No public API change.
Accessibility PASS N/A.
Security/Quality PASS Benign bump; the claimed fixes affect dev-only TOC tooling, not published code.
Docs coverage PASS No story/skill/AGENTS.md/workflow doc references doctoc; nothing to update.

Recommendation

REQUEST_CHANGES

The change itself is harmless and keeping dev tooling current is good hygiene, but as committed it will fail the yarn install --frozen-lockfile step in the PR pipeline because yarn.lock was not regenerated. Re-run yarn install and commit the updated yarn.lock (which will also refresh doctoc's changed transitive deps); after that this is a safe, low-risk merge.

Posted via the /review-pr skill.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tudorpopams tudorpopams Awaiting requested review from tudorpopams

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Area: Build System

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thompson-tomo @tudorpopams