chore: bump napi-derive from 3.5.3 to 3.5.4

[dependabot]

Bumps napi-derive from 3.5.3 to 3.5.4.

Release notes

Sourced from napi-derive's releases.

napi-derive-v3.5.4

Fixed

• (deps) update rust crate ctor to v0.10.0 (#3224)
• (deps) disable ctor priority feature (#3209)
• (deps) update rust crate ctor to v0.9.1 (#3204)

Commits

• 78eb068 chore: release (#3184)
• 490f7d5 build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#3237)
• d5c3c43 chore(release): publish
• d1e5b17 fix(cli): include napi9 in interactive new prompt (#3235)
• 0cb8eef fix(wasm-runtime): preserve full bigint values in fs proxy codec (#3233)
• 44aa08f fix(napi): preserve generator class methods (#3231)
• bdc492a chore(deps): update dependency oxc-parser to ^0.125.0 (#3230)
• daabe32 fix(cli): use target cwd for pre-publish git log lookup (#3228)
• 23abb8a fix(cli): remove stale browser metadata in non-WASI new projects (#3229)
• ce170eb fix(cli): apply enableTypeDef when generating new projects (#3214)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Labels

The following labels could not be found: 📦 dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[devin-ai-integration]

Devin Review found 3 potential issues.

[devin-ai-integration]

📝 Info: napi@3.8.4 dependency entry still references ctor@0.8.0, not updated to 0.10.1

At provenance/sbom.cdx.json:2701, the dependency entry for napi@3.8.4 still lists ctor@0.8.0 in its dependsOn. This is actually correct and matches the Cargo.lock, which shows napi 3.8.4 depends on ctor 0.8.0. It's napi-derive@3.5.4 that depends on ctor@0.10.1. So these are intentionally two different ctor versions used by different packages. This was initially considered as a potential inconsistency but verified as correct.

(Refers to line 2701)

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🟡 SBOM dependencies section replaces old version entries instead of adding new ones alongside, creating dangling references

The PR correctly adds both old and new component versions to the components array (e.g., both ctor@0.8.0 and ctor@0.10.1), and napi@3.8.4 still correctly references ctor@0.8.0 in its dependsOn (line 2701). However, in the dependencies section, the old dependency entries for ctor@0.8.0, ctor-proc-macro@0.0.7, dtor@0.3.0, and dtor-proc-macro@0.0.6 were replaced with entries for the new versions instead of being kept alongside them. This means ctor@0.8.0 is referenced as a dependency of napi@3.8.4 (provenance/sbom.cdx.json:2701) but has no corresponding entry in the dependencies array describing its own transitive dependencies. Verified against Cargo.lock, which shows both version sets coexist: napi@3.8.4 depends on ctor@0.8.0 (old), while napi-derive@3.5.4 depends on ctor@0.10.1 (new). The fix is to retain the old dependency entries and add the new ones alongside them.

Prompt for agents

In provenance/sbom.cdx.json, the dependencies section at lines 2589-2609 replaced the old version dependency entries (ctor@0.8.0, ctor-proc-macro@0.0.7, dtor@0.3.0, dtor-proc-macro@0.0.6) with the new version entries (ctor@0.10.1, ctor-proc-macro@0.0.13, dtor@0.8.1, dtor-proc-macro@0.0.13). Since both old and new versions coexist in the dependency tree (napi@3.8.4 uses old ctor, napi-derive@3.5.4 uses new ctor), the dependencies array needs entries for BOTH sets. Add back the four missing dependency entries for the old versions: ctor@0.8.0 (dependsOn: ctor-proc-macro@0.0.7, dtor@0.3.0), ctor-proc-macro@0.0.7 (dependsOn: []), dtor@0.3.0 (dependsOn: dtor-proc-macro@0.0.6), dtor-proc-macro@0.0.6 (dependsOn: []). These should appear alongside the existing new-version entries. The Cargo.lock file confirms both version sets and their dependencies.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: Old component versions correctly retained in components array

The components array correctly retains entries for both old versions (ctor@0.8.0, ctor-proc-macro@0.0.7, dtor@0.3.0, dtor-proc-macro@0.0.6) and new versions (ctor@0.10.1, ctor-proc-macro@0.0.13, dtor@0.8.1, dtor-proc-macro@0.0.13). This is correct because Cargo.lock shows both version sets coexist — napi@3.8.4 uses the old ctor 0.8.0, while napi-derive@3.5.4 uses the new ctor 0.10.1. The dependency count bump from 49 to 53 in provenance/report.json:14 is also consistent with adding 4 new components.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[dependabot]

A newer version of napi-derive exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.