Bump sass-loader from 13.3.3 to 16.0.8

[dependabot]

Bumps sass-loader from 13.3.3 to 16.0.8.

Release notes

Sourced from sass-loader's releases.

v16.0.8

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

v16.0.7

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

v16.0.6

Bug Fixes

• cache fs calls for modern API

v16.0.5

16.0.5 (2025-02-14)

Bug Fixes

• allow to import CSS using @use with css extension (#1254) (3352e49)

v16.0.4

16.0.4 (2024-12-04)

Bug Fixes

• include sources map сontent for modern api by default (#1250) (70a10ff)

v16.0.3

16.0.3 (2024-11-01)

Bug Fixes

• modern-compiler: dispose redundant compilers (#1245) (004ed38)

v16.0.2

16.0.2 (2024-09-20)

Bug Fixes

... (truncated)

Changelog

Sourced from sass-loader's changelog.

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

16.0.6 (2025-10-23)

Bug Fixes

• cache fs calls for modern API

16.0.5 (2025-02-14)

Bug Fixes

• allow to import CSS using @use with css extension (#1254) (3352e49)

16.0.4 (2024-12-04)

Bug Fixes

• include sources map сontent for modern api by default (#1250) (70a10ff)

16.0.3 (2024-11-01)

Bug Fixes

• modern-compiler: dispose redundant compilers (#1245) (004ed38)

16.0.2 (2024-09-20)

Bug Fixes

• error message from sass (#1231) (c75c606)

16.0.1 (2024-08-19)

Bug Fixes

• generate correct sourceMaps for modern-compiler api (#1228) (f862f7a)

16.0.0 (2024-07-26)

... (truncated)

Commits

• 4f00ed5 chore(release): 16.0.8
• 90e349d fix: normalize separators in getPossibleRequests for Windows (#1308) (#1309)
• cda2078 chore(deps-dev): bump follow-redirects from 1.15.9 to 1.16.0 (#1306)
• 128abc0 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#1305)
• e3df97d chore(deps-dev): bump node-forge from 1.3.3 to 1.4.0 (#1304)
• ff8005b chore(deps): bump serialize-javascript and terser-webpack-plugin (#1299)
• 7dd2827 chore(deps-dev): bump flatted from 3.3.2 to 3.4.2 (#1301)
• 9e6a5e5 chore(deps): bump picomatch (#1300)
• a488645 chore(deps): bump immutable from 5.0.3 to 5.1.5 (#1298)
• fe6fe07 chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 (#1297)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cursor]

Stale comment

No blocking findings.

Security

• I did not find any current public advisories or known CVEs affecting sass-loader@16.0.8.
• The package still resolves to the same direct runtime dependency (neo-async), so this PR does not expand the dependency surface.
• Dependabot notes an upstream prepare script change, but that is package-maintainer workflow rather than an install-time script this repo executes from the npm registry package. Local yarn install --immutable completed cleanly with no dependency-script issues.

Safety of merging

• The main breaking changes between 13.3.3 and 16.x are:
  1. 14.0.0 raises the minimum Node version to >=18.12.0 and removes fibers support.
  2. 15.0.0 prefers sass-embedded over sass when both are installed.
  3. 16.0.0 defaults to the modern Sass JS API.
• This repository already appears aligned with those changes:
  • webpack.config.js explicitly sets sass-loader to api: "modern".
  • The only configured sassOptions use loadPaths, which is valid with the modern API.
  • I did not find legacy-only loader options in this repo (data, file, legacy importer/functions config, etc.).
  • I did not find ~ Sass imports that would raise additional migration concerns.
  • The repo pins Node 20.20.0 in .tool-versions, and CI uses Node 20 in .github/workflows/ci-cd.yml, so the Node floor increase is satisfied in the supported environments.
  • The repo depends on sass, not sass-embedded, so the 15.0.0 default-preference change should not alter behavior here.
• Net: for this codebase, the semver-major risk is real in general, but the repository is already configured in the direction that sass-loader@16 expects.

Tests

Local:

• yarn install --immutable ✅
• yarn lint ✅
• yarn stylelint ✅
• CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites, 835 tests passed)
• yarn build ✅
  • Build completed without Sass errors; only the existing webpack asset-size/performance warnings were reported.

Hosted PR checks at review time:

• lint ✅
• test ✅
• deploy-branch / build-deploy ✅
• test-cypress is still in progress

I could not complete a local Cypress run in this VM because the Cypress desktop binary was not present and repeated cypress install attempts did not yield a usable local binary here.

Recommendation

Merge.

Residual risk looks low for this repository. The only thing still worth watching is the hosted test-cypress job before merging, since that is the remaining browser-level validation not yet complete in this environment.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}

[cursor]

No blocking findings.

Security

• I couldn't find any published CVEs/advisories affecting sass-loader@16.0.8; public package-security sources currently show no known direct vulnerabilities for this package.
• The runtime supply-chain footprint is effectively unchanged: the lockfile still resolves the same direct dependency (neo-async), and the newly listed @rspack/core peer is optional and unused in this repo.
• sass-loader does not add preinstall/install/postinstall hooks. Upstream's prepare script changed, but that script is not executed for normal npm registry installs, so it does not introduce new install-time risk here.

Safety Of Merging

• The meaningful upstream breaking changes across 13.3.3 -> 16.0.8 are: minimum Node version >=18.12.0 (v14), preferring sass-embedded when present (v15), and using the modern Sass JS API by default (v16).
• This repository looks compatible with those changes: CI is configured for Node 20 in .github/workflows/ci-cd.yml, the webpack rule already opts into api: "modern" in webpack.config.js, and it only uses modern-compatible options (sassOptions.loadPaths and sourceMap).
• I did not find any repo usage of fibers, node-sass, sass-embedded, or legacy-only loader options that would make this bump risky.

Test Results

• Local on the PR head:
  • yarn install --immutable ✅
  • yarn lint ✅
  • CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites / 835 tests passed)
  • yarn build ✅ (webpack compiled successfully)
• I could not complete local Cypress because this VM could not download the Cypress binary from download.cypress.io (SSL_ERROR_SYSCALL / binary not installed).
• The PR's GitHub Actions test-cypress check has completed successfully, so the hosted full suite is green.

Recommendation

Recommend merge. The main major-version risks are already accounted for by this repo's current setup, and both local CI-style checks and hosted CI passed.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}