build(deps-dev): bump web-ext to remove stale ajv#2711
Draft
cursor[bot] wants to merge 4 commits into
Draft
Conversation
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.18.0 to 8.20.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.18.0...v8.20.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.20.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jonathan Kingston <jonathanKingston@users.noreply.github.com>
Co-authored-by: Jonathan Kingston <jonathanKingston@users.noreply.github.com>
Contributor
[Beta] Generated file diffTime updated: Fri, 22 May 2026 10:34:48 GMT |
jonathanKingston
approved these changes
May 22, 2026
jonathanKingston
approved these changes
May 22, 2026
Contributor
Build Branch
Static preview entry points
QR codes (mobile preview)
Integration commandsnpm (Android / Extension): Swift Package Manager (Apple): .package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/jkt/auto/dependency-update-review-3dad")git submodule (Windows): git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/dependency-update-review-3dad
git -C submodules/content-scope-scripts checkout origin/pr-releases/jkt/auto/dependency-update-review-3dadPin to exact commitnpm (Android / Extension): Swift Package Manager (Apple): .package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "8676caa0470d3ad98a81aef4b8b462eebfa88ddf")git submodule (Windows): git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/dependency-update-review-3dad
git -C submodules/content-scope-scripts checkout 8676caa0470d3ad98a81aef4b8b462eebfa88ddf |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
Author
There was a problem hiding this comment.
Web Compatibility Assessment
No web compatibility findings.
injected/integration-test/extension/manifest.jsonlines 6-12, severity: info. The added Gecko-onlybrowser_specific_settingsanddata_collection_permissionsmetadata is confined to the integration-test extension manifest. It does not alter injected runtime behavior, content script matching,run_at, frame coverage, wrappers, shims, or DOM interaction patterns.web-ext lint --source-dir integration-test/extension --output jsonreports 0 errors, 0 warnings, and 0 notices.injected/package.jsonline 60 andpackage-lock.jsonlines 10636-10676, severity: info.web-extremains a dev-only dependency used by the fake-extension/test tooling path, not code bundled into page-injected scripts.
Security Assessment
No security findings.
package.jsonline 46 andpackage-lock.jsonlines 23 and 2461-2499, severity: info. Theajv/addons-linterupdates are devDependency/tooling-only and remove stale transitive packages such asnode-notifier,growly,shellwords, anduuidfrom the lockfile. There are no changes tocaptured-globals.js, message bridge checks, native messaging transports, origin validation,postMessage, runtime API overrides, or remote-config handling.
Risk Level
Low Risk: this PR changes dependency metadata, a test-only extension manifest, and lockfile entries only; it does not touch shipped injected source or security-sensitive runtime surfaces.
Recommendations
No code changes required. Keep the targeted validation in CI for this PR class: web-ext lint --source-dir integration-test/extension --output json and npm run build --workspace=injected both pass locally for this revision.
Sent by Cursor Automation: Web compat and sec
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Asana Task/Github Issue: Follow-up to dependency review for #2674
Description
Bumps
web-extto10.2.0so itsaddons-linterdependency resolves to10.5.0, which pinsajv@8.20.0and removes the nestedaddons-linter/node_modules/ajv@8.18.0copy left by the directajvupdate.Also updates the fake MV3 integration-test extension manifest with required Firefox metadata so the newer linter passes cleanly.
Testing Steps
npm ls ajv --allnpx web-ext lint --source-dir=integration-test/extensionfrominjected/npm run test-unit --workspace=injected -- --random=false --filter='test-pages'Checklist
Please tick all that apply:
Note
Low Risk
Low risk: dependency bumps and test-only manifest metadata updates; main risk is CI/lint behavior changes due to updated
web-ext/addons-lintertoolchain.Overview
Updates the dev tooling by bumping
web-extto10.2.0(andajvto^8.20.0at the root), which refreshes transitive linter dependencies and removes older nestedajvcopies in the lockfile.Adjusts the MV3 fake integration-test extension
manifest.jsonto include Firefoxbrowser_specific_settings.geckometadata soweb-ext lintpasses with the newer linter.Reviewed by Cursor Bugbot for commit 43589a8. Bugbot is set up for automated code reviews on this repo. Configure here.