build(deps-dev): bump fast-check from 4.6.0 to 4.7.0

[dependabot]

Bumps fast-check from 4.6.0 to 4.7.0.

Release notes

Sourced from fast-check's releases.

Unicode property support in stringMatching

[Code][Diff]

Features

• (PR#6866) Reversible json arbitrary
• (PR#6868) Parse \p{} and \P{} in stringMatching
• (PR#6870) Support for \p{UnicodeProperty} in stringMatching
• (PR#6871) Support negated unicode properties in stringMatching

Fixes

• (PR#6710) CI: Pass explicit string to make_latest
• (PR#6714) CI: Remove unused vite dependency from multiple packages
• (PR#6780) CI: Silent zizmor issues (as they used to be)
• (PR#6786) CI: Configure release workflow settings for announcements
• (PR#6787) CI: Add force-build-status-execution label trigger to CI workflow
• (PR#6818) CI: Push tag after creating draft release
• (PR#6827) CI: Update CSP for our playgrounds backed by stackblitz
• (PR#6832) CI: Add format/lint/typecheck hooks for Claude Code
• (PR#6834) CI: Fix Claude's session start hook
• (PR#6852) CI: Skip website prebuild remote fetches on cloud Claude Code
• (PR#6869) CI: Add workflow to clean up GitHub Actions caches
• (PR#6789) Clean: Remove unused code identified by knip
• (PR#6711) Doc: Release note for version 4.6.0
• (PR#6756) Doc: Fix typo in the documentation
• (PR#6758) Doc: Add rugk as doc contributor
• (PR#6764) Doc: Document gitmoji PR naming
• (PR#6776) Doc: Add nielk as code contributor
• (PR#6753) Doc: Migrate playgrounds in documentation to StackBlitz
• (PR#6830) Doc: Switch to ?raw imports for advents
• (PR#6836) Doc: Add Vitest documentation guide for setting up property-based testing
• (PR#6833) Doc: Remove dead doc hub pages
• (PR#6855) Doc: Integrate API reference natively into our doc
• (PR#6867) Doc: Simplify examples
• (PR#6835) Script: Migrate from ESLint to oxlint
• (PR#6872) Script: Rework hooks for Claude Code
• (PR#6754) Test: Migrate race condition tests to Vitest
• (PR#6859) Test: Stabilize flaky timeout tests on Windows

---

Changelog

Sourced from fast-check's changelog.

4.7.0

Unicode property support in stringMatching [Code][Diff]

Features

• (PR#6866) Reversible json arbitrary
• (PR#6868) Parse \p{} and \P{} in stringMatching
• (PR#6870) Support for \p{UnicodeProperty} in stringMatching
• (PR#6871) Support negated unicode properties in stringMatching

Fixes

• (PR#6710) CI: Pass explicit string to make_latest
• (PR#6714) CI: Remove unused vite dependency from multiple packages
• (PR#6780) CI: Silent zizmor issues (as they used to be)
• (PR#6786) CI: Configure release workflow settings for announcements
• (PR#6787) CI: Add force-build-status-execution label trigger to CI workflow
• (PR#6818) CI: Push tag after creating draft release
• (PR#6827) CI: Update CSP for our playgrounds backed by stackblitz
• (PR#6832) CI: Add format/lint/typecheck hooks for Claude Code
• (PR#6834) CI: Fix Claude's session start hook
• (PR#6852) CI: Skip website prebuild remote fetches on cloud Claude Code
• (PR#6869) CI: Add workflow to clean up GitHub Actions caches
• (PR#6789) Clean: Remove unused code identified by knip
• (PR#6711) Doc: Release note for version 4.6.0
• (PR#6756) Doc: Fix typo in the documentation
• (PR#6758) Doc: Add rugk as doc contributor
• (PR#6764) Doc: Document gitmoji PR naming
• (PR#6776) Doc: Add nielk as code contributor
• (PR#6753) Doc: Migrate playgrounds in documentation to StackBlitz
• (PR#6830) Doc: Switch to ?raw imports for advents
• (PR#6836) Doc: Add Vitest documentation guide for setting up property-based testing
• (PR#6833) Doc: Remove dead doc hub pages
• (PR#6855) Doc: Integrate API reference natively into our doc
• (PR#6867) Doc: Simplify examples
• (PR#6835) Script: Migrate from ESLint to oxlint
• (PR#6872) Script: Rework hooks for Claude Code
• (PR#6754) Test: Migrate race condition tests to Vitest
• (PR#6859) Test: Stabilize flaky timeout tests on Windows

---

Commits

• fd1a184 🔖 Update CHANGELOG.md for fast-check@4.7.0 (#6873)
• 6661a31 ✨ Support negated unicode properties in stringMatching (#6871)
• 332f905 ✨ Support for \p{UnicodeProperty} in stringMatching (#6870)
• 285ed56 ✨ Parse \p{} and \P{} in stringMatching (#6868)
• 1e5d774 ✨ Reversible json arbitrary (#6866)
• f16e672 📝 Integrate API reference natively into our doc (#6855)
• e82af33 🔨 Migrate from ESLint to oxlint (#6835)
• a82f7a1 ⬆️ Update dependency typedoc to ^0.28.19 (#6847)
• 104640c ⬆️ Update dependency @​microsoft/api-extractor to ^7.58.2 (#6828)
• b3c86c2 ⬆️ Update typescript-eslint monorepo to ^8.58.1 (#6826)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk devDependency bump only, but it may change property-based test generation behavior and impact test stability/coverage.

Overview
Updates the fast-check devDependency from 4.6.0 to 4.7.0 across the root/injected and special-pages packages, and refreshes package-lock.json to the new resolved tarball and integrity hash.

^{Reviewed by Cursor Bugbot for commit d2101de. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0
Commit	d1264a86f0
Updated	May 22, 2026 at 10:34:20 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#d1264a86f0b7058c78fe1618c0bfa91c38270aca

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "d1264a86f0b7058c78fe1618c0bfa91c38270aca")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/fast-check-4.7.0
git -C submodules/content-scope-scripts checkout d1264a86f0b7058c78fe1618c0bfa91c38270aca

[cursor]

Stale comment

Web Compatibility Assessment

• injected/package.json (devDependencies fast-check), special-pages/package.json (devDependencies fast-check), package-lock.json (lockfile resolution updates) — severity: info
  Change scope is dependency metadata only (fast-check 4.6.0 → 4.7.0) with no edits to injected runtime feature code, wrapper/shim utilities, API overrides, platform entry points, or DOM interaction paths. No observed risk to API surface fidelity, prototype-chain behavior, or third-party script compatibility from changed lines.

Security Assessment

• injected/package.json, special-pages/package.json, package-lock.json — severity: info
  This PR does not modify hostile-page trust-boundary code (captured globals, message bridge, transport validation, exemption logic, or iframe/origin handling). fast-check remains a dev-only dependency here, so there is no direct production-path expansion of attack surface from the diff itself.

Risk Level

Low Risk — Dependency-only dev-tooling bump with lockfile refresh; no runtime JavaScript injection or security-control-path modifications.

Recommendations

1. Keep CI coverage for property-based tests enabled in both injected and special-pages to catch generator/arb behavior shifts introduced by fast-check updates.
2. If determinism becomes an issue after the bump, standardize seeded runs in affected tests to reduce flake sensitivity.
3. Alternative hardening option: consider exact pinning (or workspace-level override) for fast-check in CI-critical lanes if reproducibility is prioritized over automatic minor uptake.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Risk Review: fast-check 4.6.0 → 4.7.0

Confirmed findings

No blocking issues found.

Evidence:

• PR diff is limited to version metadata in injected/package.json, special-pages/package.json, and package-lock.json.
• Lockfile shows only node_modules/fast-check tarball/version changed (4.6.0 → 4.7.0); no additional transitive churn in this diff.
• Upstream changelog for 4.7.0 lists feature additions mainly around stringMatching unicode property parsing (\\p{} / \\P{}) plus reversible json arbitrary, with no breaking-change notes.

Test coverage check

• fast-check is actively used in property tests in both affected workspaces (injected/unit-test/*properties*, injected/unit-test/timer-utils.js, special-pages/unit-test/color.spec.mjs, special-pages/unit-test/translations.mjs).
• Executed test validation:
  • npm run test-unit --workspace injected → pass (889 specs, 0 failures)
  • npm run test-unit --workspace special-pages → pass (104 tests, 0 failures)

Uncertain / low-confidence concerns (non-blocking)

1. Generator behavior drift risk (low): fast-check minor updates can shift generated-case distributions/shrinking behavior. This can subtly change fuzzing signal over time even when tests pass in a single run.

   • Assumption: this repo does not rely on deterministic fast-check failure shrinking output as a contract.
   • Validation if desired: run CI with multiple seeds for the few property suites using fc.stringMatching.

2. Scope of new unicode regex support not directly exercised: repo usages of fc.stringMatching are ASCII regexes, so new unicode-property support paths in 4.7.0 are not directly covered here.

   • This is acceptable for current usage; just noting coverage boundary.

Is dependency still needed?

Yes. fast-check is still justified: it is used by multiple property-based test suites across injected and special-pages, and remains a dev-only dependency (not shipped in runtime bundles).

Separate fix PR

No follow-up fix PR is needed from this review.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:35:00 GMT

[cursor]

Stale comment

Web Compatibility Assessment

• injected/package.json (around 53-57) — info: fast-check dev dependency bumped from ^4.6.0 to ^4.7.0. This does not modify injected feature code, wrapper utilities, platform entry points, or any browser API shim surface, so no direct site compatibility regression vector is introduced.
• special-pages/package.json (around 31-35) — info: same dev dependency bump in special-pages workspace only; no runtime JS/CSS behavior change on embedded pages from this diff alone.
• package-lock.json (around 55-57, 4726-4734, 10891-10895) — info: lockfile refresh consistent with manifest updates; no additional runtime dependency tree changes beyond fast-check package metadata/version.

Security Assessment

• injected/package.json / special-pages/package.json / package-lock.json (lines above) — info: change is limited to test tooling (devDependencies) and lockfile integrity hashes; no modifications to captured globals, message bridge, transports, wrapper/shim logic, exemption logic, or any runtime code executing in hostile page contexts.
• package-lock.json (node_modules/fast-check entry) — info: integrity hash updated as expected for new tarball; no suspicious transitive additions in this diff segment.

Risk Level

Low Risk — dependency-only dev-tooling bump with no production injected-script code changes and no touched security-sensitive subsystems.

Recommendations

1. Run npm run test-unit (or targeted workspace unit suites using property-based tests) to catch any behavioral differences in arbitraries/shrinking introduced by fast-check 4.7.0.
2. If deterministic CI reproducibility is prioritized over automatic patch/minor pickup, consider pinning exact fast-check versions instead of caret ranges in workspace manifests.
3. Keep Dependabot lockfile-only updates isolated (as here) to preserve rollback simplicity if test flakiness appears.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency review for fast-check 4.6.0 -> 4.7.0:

Confirmed Findings

No blocking security or behavior regressions found in this PR diff.

Evidence:

• Diff only updates manifests/lockfile: injected/package.json, special-pages/package.json, package-lock.json.
• fast-check is a dev-only dependency in both workspaces (test-time only).
• Repository callsites are limited to property-based unit tests in injected/unit-test/* and special-pages/unit-test/*.
• Targeted validation passed after install:
  • npm run test-unit -w injected (889 specs passed, 0 failures)
  • npm run test-unit -w special-pages (104 tests passed, 0 failures)

Changelog Impact Assessment (4.7.0)

Upstream 4.7.0 changes are mainly:

• reversible json arbitrary
• stringMatching support for Unicode property escapes (\p{} / \P{})

Impact on this repo appears low:

• We use fc.stringMatching(...), but current patterns are ASCII-focused and do not use Unicode property escapes.
• No production/runtime code imports fast-check; usage remains test-only.

Uncertain / Residual Risk

Non-blocking: stringMatching parser updates can still subtly alter generated case distribution and shrinking behavior, potentially changing deterministic seeds or exposing latent flaky assertions over time. Current unit runs did not reproduce issues, but CI history should be watched for new test flake patterns.

Dependency Necessity / Alternatives

fast-check is still actively used and provides broad negative-input coverage that would be expensive to replace with ad-hoc loops.

• Alternative if we want to reduce third-party surface: replace selected properties with deterministic fixture tests in high-value paths only.
• Tradeoff: reduced fuzz coverage and less ability to discover edge cases.

No follow-up fix PR is needed based on current evidence.

  

_{Sent by Cursor Automation: Review dependabot}

[dependabot]

A newer version of fast-check exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[cursor]

Web Compatibility Assessment

• File: injected/package.json; lines 53-57; severity: info
  fast-check is bumped only in devDependencies. This does not change injected runtime feature code, wrapper utilities, browser API shims, platform entry points, DOM manipulation, or third-party script-visible behavior.
• File: special-pages/package.json; lines 31-35; severity: info
  Same dev-only property-testing dependency bump. No embedded page runtime code, CSS, messaging contract, or browser API interaction is modified by this diff.
• File: package-lock.json; relevant package and workspace dependency entries; severity: info
  Lockfile update is consistent with fast-check 4.6.0 -> 4.7.0; transitive dependency remains pure-rand only, with no additional dependency-tree expansion observed.

Security Assessment

• File: injected/package.json; lines 53-57; severity: info
  No change to hostile-page trust-boundary code: captured globals, wrapper/shim primitives, message bridge, origin validation, stack-trace exemptions, iframe access, or load-time injected behavior are untouched.
• File: special-pages/package.json; lines 31-35; severity: info
  fast-check remains test tooling only; it is not part of production special-page bundles from this diff.
• File: package-lock.json; relevant node_modules/fast-check entry; severity: info
  Tarball metadata/integrity changed as expected for the version bump, with no new runtime package surface introduced.

Risk Level

Low Risk — dependency-only dev-tooling bump with no production injected-script or security-control-path changes.

Recommendations

1. No blocking changes needed.
2. Keep property-based unit suites in CI for both affected workspaces to catch future arbitrary/shrinking behavior drift.
3. If deterministic CI output becomes important, consider exact pinning for fast-check; otherwise the current caret range is consistent with normal Dependabot minor updates.

Validation performed:

• npm ci
• npm run build --workspace injected
• npm run test-unit --workspace injected (929 specs, 0 failures)
• npm run test-unit --workspace special-pages (104 tests, 0 failures)

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency risk review for fast-check 4.6.0 -> 4.7.0:

No confirmed concerns found.

Evidence checked:

• Diff only updates fast-check in injected/package.json, special-pages/package.json, and package-lock.json; the lockfile entry remains dev: true.
• Upstream 4.7.0 changelog lists new fc.stringMatching support for Unicode property escapes (\p{} / \P{}) and reversible fc.json() shrinking. Current repo usage imports fast-check only from unit/property tests; there is no fc.json() usage, and existing fc.stringMatching regexes use ASCII character classes rather than Unicode-property escapes.
• Package metadata did not show a dependency/engine/maintainer/license change relevant to this bump: still pure-rand@^8.0.0, Node >=12.17.0, MIT, same npm maintainer, 11 package files.
• npm audit --package-lock-only did not attribute any advisory to fast-check or pure-rand. It still reports unrelated pre-existing advisories elsewhere in the tree.

Validation run:

• npm run build --workspace injected
• npm run test-unit --workspace injected passed: 929 specs, 0 failures, 16 pending
• npm run test-unit --workspace special-pages passed: 104 tests, 0 failures

I did not draft a separate fix PR because I did not identify a required fix for this dependency update.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

No blocking dependency-update concerns found.

Reviewed fast-check 4.6.0 -> 4.7.0 against the upstream release notes. The release adds reversible json arbitrary behavior and Unicode property support in stringMatching; I did not find breaking changes called out. In this repo fast-check is only a devDependency used by unit/property tests, so there is no production runtime/privacy surface change. The current stringMatching usages are simple ASCII regexes, and I found no fc.json usage.

Validation performed:

• npm ci
• npm ls fast-check --all confirms fast-check@4.7.0 for injected and special-pages
• npm run test-unit -w injected -- unit-test/utils-properties.spec.js unit-test/timer-utils.js unit-test/cookie-properties.spec.js unit-test/config-feature-properties.spec.js unit-test/broker-protection.js unit-test/broker-protection-extractors.js passed, 140 specs
• npm run test-unit -w special-pages passed
• npm audit report has no advisories involving fast-check or pure-rand
• GitHub CI gate is green, including unit and integration jobs

No separate fix PR drafted because I did not find changes needed.

  

_{Sent by Cursor Automation: Review dependabot}