chore: bump napi from 3.8.4 to 3.8.5

[dependabot]

Bumps napi from 3.8.4 to 3.8.5.

Release notes

Sourced from napi's releases.

napi-v3.8.5

Fixed

• (napi) preserve generator class methods (#3231)
• (deps) update rust crate ctor to v0.10.0 (#3224)
• (deps) disable ctor priority feature (#3209)
• (deps) update rust crate ctor to v0.9.1 (#3204)
• (napi) handle ThreadsafeFunction callback errors gracefully during shutdown (#3188)
• (napi) populate Error::cause from ThreadsafeFunction callee-handled callbacks (#3162)
• correct typo in Either error message ("non" → "none") (#3183)

Commits

• 78eb068 chore: release (#3184)
• 490f7d5 build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#3237)
• d5c3c43 chore(release): publish
• d1e5b17 fix(cli): include napi9 in interactive new prompt (#3235)
• 0cb8eef fix(wasm-runtime): preserve full bigint values in fs proxy codec (#3233)
• 44aa08f fix(napi): preserve generator class methods (#3231)
• bdc492a chore(deps): update dependency oxc-parser to ^0.125.0 (#3230)
• daabe32 fix(cli): use target cwd for pre-publish git log lookup (#3228)
• 23abb8a fix(cli): remove stale browser metadata in non-WASI new projects (#3229)
• ce170eb fix(cli): apply enableTypeDef when generating new projects (#3214)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Labels

The following labels could not be found: 📦 dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[devin-ai-integration]

Devin Review found 3 potential issues.

[devin-ai-integration]

📝 Info: napi-derive@3.5.3 dependency on ctor@0.8.0 not updated in SBOM dependency graph

At provenance/sbom.cdx.json:2719, napi-derive@3.5.3 still lists pkg:cargo/ctor@0.8.0 in its dependsOn. This is actually correct — the Cargo.lock confirms napi-derive@3.5.3 genuinely depends on ctor@0.8.0 (not 0.10.1). However, the dependency graph entry for ctor@0.8.0 itself is missing (reported as a bug), making this a dangling reference. The napi-derive dependency line itself is accurate and should not be changed.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🟡 SBOM dependency graph entries for old versions replaced instead of added alongside new versions, creating dangling references

The dependency graph section of the SBOM replaced the entries for ctor@0.8.0, ctor-proc-macro@0.0.7, dtor@0.3.0, and dtor-proc-macro@0.0.6 with entries for their new versions (ctor@0.10.1, etc.) instead of adding the new entries alongside them. Both old and new versions exist in Cargo.lock (since napi-derive@3.5.3 depends on ctor@0.8.0 while napi@3.8.5 depends on ctor@0.10.1), and the SBOM's components section correctly lists all 8 entries. However, the dependencies section only has 4 entries (the new versions), leaving napi-derive@3.5.3 with a dangling reference to pkg:cargo/ctor@0.8.0 (visible at provenance/sbom.cdx.json:2719) and 4 components with no corresponding dependency graph nodes.

Missing dependency entries that should exist based on Cargo.lock

• ctor@0.8.0 → depends on [ctor-proc-macro@0.0.7, dtor@0.3.0]
• ctor-proc-macro@0.0.7 → depends on []
• dtor@0.3.0 → depends on [dtor-proc-macro@0.0.6]
• dtor-proc-macro@0.0.6 → depends on []

Prompt for agents

The SBOM dependency graph in provenance/sbom.cdx.json had the old version dependency entries (ctor@0.8.0, ctor-proc-macro@0.0.7, dtor@0.3.0, dtor-proc-macro@0.0.6) replaced with new version entries instead of adding the new entries alongside them. Both versions exist in Cargo.lock because napi-derive@3.5.3 still depends on ctor@0.8.0 while napi@3.8.5 depends on ctor@0.10.1.

The fix is to add back 4 dependency entries for the old versions in the dependencies array (around line 2595, after the ctor@0.10.1 entry):
1. ctor@0.8.0 with dependsOn [ctor-proc-macro@0.0.7, dtor@0.3.0]
2. ctor-proc-macro@0.0.7 with dependsOn []
3. dtor@0.3.0 with dependsOn [dtor-proc-macro@0.0.6]
4. dtor-proc-macro@0.0.6 with dependsOn []

Alternatively, re-run the provenance generation tool to regenerate the SBOM correctly.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: Dependency count 49→53 is consistent with new component additions

The dependencies_with_licenses field in provenance/report.json:14 was updated from 49 to 53. This +4 matches exactly the 4 new component entries added to the SBOM: ctor@0.10.1, ctor-proc-macro@0.0.13, dtor@0.8.1, dtor-proc-macro@0.0.13. This is correct.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[dependabot]

A newer version of napi exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.