build(deps-dev): bump prettier from 3.8.2 to 3.8.3

[dependabot]

Bumps prettier from 3.8.2 to 3.8.3.

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: this only updates a dev-only formatting tool and its lockfile entry, with no runtime code changes. Main impact is potential formatting/lint output differences in CI or local workflows.

Overview
Updates the devDependency on prettier from 3.8.2 to 3.8.3 and refreshes package-lock.json to match the new resolved tarball and integrity hash.

^{Reviewed by Cursor Bugbot for commit e79bc0f. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3
Commit	5078ca1407
Updated	May 22, 2026 at 10:34:17 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#5078ca1407057a66230d95241bbd1587c2631a94

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "5078ca1407057a66230d95241bbd1587c2631a94")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/prettier-3.8.3
git -C submodules/content-scope-scripts checkout 5078ca1407057a66230d95241bbd1587c2631a94

[cursor]

Stale comment

Web Compatibility Assessment

• package.json (47-47) — severity: info
  prettier is bumped from 3.8.2 to 3.8.3 in root devDependencies only. This does not modify injected runtime code paths (injected/src/features/*, wrappers, shims, messaging) and therefore does not alter page-exposed API behavior.
• package-lock.json (24-24, 8083-8090) — severity: info
  Lockfile updates are limited to the same prettier version/integrity/resolved fields. No additional package entries, no script changes, and no runtime bundle-affecting dependency graph changes are present in this diff.

Security Assessment

• package.json (47-47) — severity: info
  Change is build-time tooling only; no changes to captured globals usage, message bridge trust checks, origin validation, or runtime injection logic.
• package-lock.json (8083-8090) — severity: info
  Tarball and integrity hash rotate as expected for a patch upgrade. No new privileged capabilities are introduced in the PR diff itself.

Risk Level

Low Risk — this PR only bumps a dev formatter dependency and corresponding lockfile metadata, with no modifications to web-injected behavior or security-sensitive runtime surfaces.

Recommendations

1. Run npm ci && npm run lint in CI to validate formatter/lint stability after the patch bump.
2. Keep this update isolated (as currently done) to reduce blast radius and simplify revert if any formatting edge-case appears in future follow-up commits.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency review for prettier 3.8.2 -> 3.8.3

Confirmed findings

• Diff scope is dependency metadata only: package.json and package-lock.json version/integrity updates, no source code changes in this PR.
• Upstream changelog for 3.8.3 contains a single behavior fix: SCSS if() formatting (prevents a trailing comma insertion).
• This repo currently has no tracked *.scss files, so the only documented formatter behavior change does not have a direct in-repo target.

Coverage / validation impact

• There is no new runtime code path to cover (dev-only formatter bump).
• CI already gates this via npm run lint in tests.yml, and lint executes npx prettier . --check, so formatter compatibility with this codebase is exercised in PR checks.

Uncertain concerns (assumptions explicit)

• Assumption: no external/ignored/generated SCSS artifacts are part of your release flow. If that assumption is wrong, validate formatting output for those files before merge.
• Minor supply-chain residual risk remains for any package update, but this is a patch release with tightly scoped changelog impact.

Dependency necessity / alternatives

• prettier is actively used by repo scripts and automation (lint, lint-fix, formatting workflow/hooks), so it is still needed.
• No better-practice replacement indicated by current repo conventions; keeping Prettier pinned and patch-current is appropriate.

Action

• No concrete security or breakage concerns found for this update.
• No follow-up fix PR is needed from this review.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:59 GMT

[cursor]

Web Compatibility Assessment

• File: package.json
  Line range: devDependencies.prettier version bump hunk
  Severity: info
  Assessment: The change is limited to a dev-tool version update (3.8.2 → 3.8.3). No injected runtime code paths, API shims, wrapper utilities, feature lifecycle hooks (load/init/urlChanged), or platform entry points are modified, so no web-compat regression vector is introduced in content scope execution.

• File: package-lock.json
  Line range: root devDependencies.prettier entry + node_modules/prettier resolved/integrity hunk
  Severity: info
  Assessment: Lockfile changes are consistent with the same single dependency bump. No transitive runtime dependency movement affecting injected/browser-executed code was introduced by this diff.

Security Assessment

• File: package.json
  Line range: devDependencies.prettier version bump hunk
  Severity: info
  Assessment: No changes to security-sensitive surfaces (captured-globals, wrapper-utils, DDGProxy, messaging transports, message bridge checks, iframe handling, or config gating). Threat model exposure for hostile page environments is unchanged.

• File: package-lock.json
  Line range: node_modules/prettier metadata hunk
  Severity: info
  Assessment: Integrity hash and tarball URL update reflect expected lockfile refresh for the Prettier patch release. This is a build-time tool update only; no new runtime exfiltration or prototype attack surface appears in this PR.

Risk Level

Low Risk — the PR is a scoped dev-dependency patch update with no modifications to injected runtime logic, browser API overrides, messaging boundaries, or security controls.

Recommendations

1. Run standard CI gates (lint, test-unit) to validate no formatting-rule behavior changes impact generated artifacts or snapshot expectations.
2. Optional hardening: keep Prettier pinned exactly (current approach) rather than a range, to preserve deterministic formatting across developer environments.
3. Alternative approach: if dependency churn is a concern, batch formatter-only bumps into periodic toolchain-update PRs while keeping security-sensitive injected code PRs isolated.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Risk Review: prettier 3.8.2 → 3.8.3

Confirmed findings

• No blocking security or behavior risk found in this repo from this bump.
• PR diff only updates prettier in package.json and package-lock.json.
• Upstream 3.8.3 release notes list a single functional fix: SCSS if() trailing comma handling.
• This repository currently has no .scss/.sass sources and no sass( usage, so the upstream functional fix appears non-applicable to project code paths.
• prettier is still required here (used by lint, lint-fix, and formatting automation), so removal is not recommended.

Uncertain concerns (non-blocking)

• Upstream compare also includes internal packaging/parser churn (including oxc-parser updates inside Prettier’s own repo history). While not reflected as direct dependency graph changes in this PR, formatter edge-case output can still drift between patch releases.
• Assumption: no workflows rely on SCSS formatting semantics from Prettier; if that assumption is wrong, validate with SCSS fixtures before merge.

Coverage and validation evidence

• Upstream added regression coverage for the SCSS if() fix.
• In this PR, existing CI evidence is mostly green for unit/integration paths; the observed failing/cancelled unit checks failed before test execution at cache/setup steps, so they are not evidence of a formatter regression.

Follow-up PR

• No follow-up/fix PR is required based on current evidence.
• Optional hardening follow-up (separate PR): switch script invocations from npx prettier to local binary invocation (prettier or npx --no-install prettier) to reduce accidental remote package execution paths in developer environments.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Dependency update review: no confirmed issues found.

Evidence reviewed:

• The PR only updates the root prettier devDependency and lockfile entry from 3.8.2 to 3.8.3; no runtime dependencies or transitive dependencies are added.
• Prettier 3.8.3 changelog lists a single fix: SCSS if() formatting no longer emits a trailing comma. This repo has no .scss or .sass files, so expected repo impact is limited to normal formatter execution.
• prettier is still used by npm run lint, npm run lint-fix, .cursor/hooks/format.sh, and the bot-format workflow, so it remains an active dev dependency.
• Local validation with the updated lockfile passed: npm ci, npx --no-install prettier --version => 3.8.3, npx --no-install prettier . --check, and npm run build && npm run lint.
• npm audit did not report any prettier-related advisories. The existing audit total is broader repo state and not attributable to this update.

Residual validation: GitHub CI was still in progress when checked, so merge should still wait for the normal ci-gate. No separate fix PR is needed from this review.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency update review: no confirmed issues found.

Evidence checked:

• Diff only updates the direct dev dependency prettier from 3.8.2 to 3.8.3 in package.json and package-lock.json.
• Prettier 3.8.3 changelog contains one formatter fix: SCSS if() should not receive a trailing comma.
• Repository search found no *.scss or *.sass files and no CSS-family if( matches, so the changeloged behavior does not currently affect tracked source formatting.
• prettier is still used by npm run lint, npm run lint-fix, and the bot-format workflow, so the dependency remains justified.
• npm metadata for prettier@3.8.3 matches the lockfile integrity.
• Local validation passed: npm ci and npx prettier . --check.
• GitHub CI gate is green for the PR run.

No separate fix PR is needed from this review.

  

_{Sent by Cursor Automation: Review dependabot}