build(deps-dev): bump @types/node from 25.6.2 to 25.9.0 in the typescript group across 1 directory

[dependabot]

Bumps the typescript group with 1 update in the / directory: @types/node.

Updates @types/node from 25.6.2 to 25.9.0

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Note

Low Risk
Low risk dev-dependency update that only affects TypeScript/Node type definitions, though it may surface new type-checking differences in builds/tests.

Overview
Updates the injected workspace dev dependency @types/node from 25.6.2 to 25.9.0 and refreshes package-lock.json accordingly.

The lockfile change also pulls in the newer undici-types version/range required by the updated Node typings.

^{Reviewed by Cursor Bugbot for commit 441afb5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf
Commit	b815708d05
Updated	May 22, 2026 at 10:34:17 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#b815708d05eda03a5764c7ede7b8a962ac5ff24d

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "b815708d05eda03a5764c7ede7b8a962ac5ff24d")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/typescript-68ebe471cf
git -C submodules/content-scope-scripts checkout b815708d05eda03a5764c7ede7b8a962ac5ff24d

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[cursor]

Stale comment

No blocking dependency-update concerns found.

Evidence reviewed:

• Diff only updates @types/node in injected/package.json and the lockfile from 25.6.2 to 25.9.0; transitive undici-types moves from 7.19.2 to 7.24.6.
• @types/node has no conventional changelog, so I compared the published npm package diff. Notable type-surface changes are Node 25 declaration updates around async_hooks, fs.stat* overloads, http2, process, quic, sqlite, stream, test, url.format deprecation/overloads, plus new node:stream/iter and node:zlib/iter declarations. undici-types adds/updates declarations such as Socks5ProxyAgent and WebSocket.close(options).
• This repo’s tsconfig.json uses allowJs/checkJs and includes all @types, so ambient Node type changes are relevant; code search did not find repo usage of the most compatibility-sensitive changed APIs such as url.format/url.resolve, node:stream/iter, node:zlib/iter, or direct undici APIs. Existing statSync usage still compiles.
• Supply-chain/runtime risk is low: both changed packages are MIT, declaration-only dev dependencies; @types/node@25.9.0 has an empty scripts object and undici-types@7.24.6 publishes only *.d.ts files.

Validation run:

• npm ci
• npm run build-locales -w injected && npm run build-surrogates -w injected
• npm run tsc
• npm run tsc-strict-core
• npm run build -w injected
• npm run test-unit -w injected => 905 specs, 0 failures, 16 pending

No separate fix PR drafted because I did not find an issue requiring changes. The dependency still appears needed for the injected workspace’s Node-based scripts/tests and checked JS imports from fs, path, child_process, etc.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Web Compatibility Assessment

No findings.

Changed files are limited to injected/package.json and package-lock.json, updating dev-only TypeScript declarations (@types/node and transitive undici-types). There are no changes to injected runtime code, wrapper utilities, API shims, DOM manipulation, feature lifecycle code, platform entry points, or remote config behavior.

Security Assessment

No findings.

The PR does not touch captured globals, message bridge/transports, origin validation, DDGProxy, stack-trace exemptions, iframe access, network requests, or any hostile-page execution path. The updated npm metadata shows @types/node@25.9.0 has an empty scripts object, and both updated packages are MIT declaration packages.

Risk Level

Low Risk: dependency-only dev type update with no bundled runtime surface change for injected scripts.

Recommendations

No code changes requested. Validation run locally: npm ci; then after standard generated prerequisites, npm run tsc and npm run tsc-strict-core passed.

  

_{Sent by Cursor Automation: Web compat and sec}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:45 GMT

[cursor]

Stale comment

Dependency update risk assessment for @types/node 25.6.2 -> 25.9.0:

Findings: no blocking concerns found.

Evidence checked:

• Diff is limited to injected/package.json and package-lock.json; this is a direct dev dependency for injected, with transitive undici-types moving 7.19.2 -> 7.24.6.
• Exact package diff adds/tightens Node type declarations around fs.stat*/throwIfNoEntry, WebCrypto CShakeParams/KmacParams using outputLength, stream.DuplexToWebOptions.readableType, node:stream/iter, node:zlib/iter, process.addUncaughtExceptionCaptureCallback, and Undici fields such as ResponseData.statusText plus SOCKS5 proxy types.
• Repo search did not find use of the changed Undici surfaces, node:stream/iter, node:zlib/iter, throwIfNoEntry, url.format/url.resolve, or the changed WebCrypto algorithm object types. Existing relevant uses are benign: statSync(path) without options in injected/unit-test/verify-artifacts.js, and browser crypto.subtle.digest('SHA-1', ...) with a string algorithm.
• Refreshed dependencies with npm ci to ensure @types/node@25.9.0 and undici-types@7.24.6 were actually installed, then ran generated prerequisites plus npm run tsc and npm run tsc-strict-core; both passed.
• PR CI is green for the type-relevant checks observed so far, including injected/special-pages unit and integration jobs on Ubuntu and injected/special-pages unit jobs on Windows. One broader unit (windows-latest) job was still in progress when checked, so final merge should still wait for CI completion.

No separate fix PR drafted because I did not find a concrete issue introduced by this update. Non-blocking maintenance note: the repo currently compiles with Node 25 type definitions while Cursor Cloud documents Node 22 as the local runtime; aligning @types/node to the supported runtime major, or scoping Node ambient types away from browser source, would reduce future type/runtime drift but is not newly introduced by this PR.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency risk assessment: no blocking issues found.

Confirmed scope:

• The PR only bumps the injected dev dependency @types/node from ^25.6.2 to ^25.9.0, plus the lockfile entries for @types/node and its undici-types dependency (7.19.2 -> 7.24.6). No runtime dependency or shipped source changes are included.
• @types/node@25.9.0 is MIT-licensed, has no package scripts, and is dev-only here.
• Upstream has no separate human changelog, but DefinitelyTyped PR #74947 shows the relevant type-surface changes: async_hooks, crypto, inspector, module, quic, repl, stream/iter, test_runner, vm, plus undici-types updates.
• I checked repo usage for the newly exposed surfaces (stream/iter, AsyncLocalStorage, new WebCrypto algorithms, mock.module export options, etc.) and did not find current code using them.
• @types/node is still needed for checked JS scripts/tests using node:*, process, and Buffer.

Non-blocking concern / required validation:

• .nvmrc pins Node 22, while this dependency already tracks Node 25 types and this bump expands the Node 25 API surface further. That means TypeScript may accept future script/test code that is valid in Node 25.9 but unavailable on the repo's Node 22 runtime. I don't see a confirmed regression in this diff because the mismatch predates this PR and current code does not use the new APIs. If the intent is to model the execution runtime strictly, a separate follow-up should align @types/node to the Node 22 line.

Validation performed:

• npm ci
• npm run build-surrogates -w injected
• npm run build-locales -w injected
• npm run tsc
• npm run tsc-strict-core
• GitHub checks are passing for build, production-deps, unit tests, integration tests, and CI gate.

I did not draft a separate fix PR because I did not find a confirmed fix required for this dependency bump.

  

_{Sent by Cursor Automation: Review dependabot}