chore(deps): update dependency typescript to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
typescript (source)	~5.9.2 → ~6.0.0

---

Release Notes

microsoft/TypeScript (typescript)

v6.0.3

Compare Source

v6.0.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	a4da728
Status:	🚫  Build failed.

View logs

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard, along with corresponding pnpm-lock.yaml updates. While the TypeScript version bump itself is straightforward, there's a critical issue with how the pnpm lockfile was regenerated that causes the rollup override to be lost.

Verdict: Blocked - requires lockfile regeneration to preserve the rollup WASM override.

Research notes

• TypeScript 6.0 Announcement - Key breaking changes identified:
  • types now defaults to [] (previously auto-included all @types/* packages)
  • baseUrl is deprecated as a module resolution lookup root
  • rootDir now defaults to . instead of being inferred
  • dom.iterable is now included in dom lib (making explicit DOM.Iterable redundant but harmless)

Suggested next steps

1. Blocking: Regenerate pnpm-lock.yaml to properly apply the rollup: npm:@rollup/wasm-node override from package.json. Run pnpm install in the dashboard directory to regenerate the lockfile with overrides correctly applied.

2. Non-blocking: Consider adding "types": ["node"] to tsconfig.app.json and tsconfig.node.json to prevent potential "Cannot find name" errors due to TypeScript 6.0's new default behavior.

3. Non-blocking: The baseUrl deprecation in TypeScript 6.0 affects this project. When ready, migrate path mappings to use explicit prefixes (e.g., "@/*": ["./src/*"] without relying on baseUrl).

General findings

Lockfile Override Loss (Blocking)

The pnpm-lock.yaml had an overrides section at the root level that was removed during regeneration. The package.json still contains:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the new lockfile resolves rollup to the native binary version (@rollup/rollup-* packages for each platform) instead of the WASM version (@rollup/wasm-node). This could cause issues in environments where native binaries are not supported or where the WASM version is specifically required.

The lodash and mdast-util-to-hast overrides appear to be correctly applied (versions 4.18.1 and 13.2.1 respectively), but the rollup override is completely missing.

TypeScript 6.0 Compatibility

The project should be compatible with TypeScript 6.0, but there are two configuration concerns:

1. Missing types field: TypeScript 6.0 changed the default for types from "auto-include all @types packages" to an empty array []. The project only specifies types in tsconfig.test.json. If the build encounters "Cannot find name" errors for Node.js globals (process, Buffer, etc.), add "types": ["node"] to the affected config files.

2. Deprecated baseUrl: The project uses baseUrl: "." in both tsconfig.json and tsconfig.app.json. This is deprecated in TypeScript 6.0 but continues to work. The recommended migration is to remove baseUrl and use explicit prefixes in path mappings.

[doubleword-code]

Blocking: The pnpm overrides section was removed from the lockfile during regeneration, causing the rollup: npm:@rollup/wasm-node override to be lost.

Why it matters: The package.json still specifies "rollup": "npm:@rollup/wasm-node" in the pnpm.overrides section, but the new lockfile resolves to the native binary version (@rollup/rollup-* packages) instead of the WASM version. This can cause build failures in environments where native binaries don't work or aren't available.

The diff shows @rollup/wasm-node@4.60.3 was replaced with platform-specific packages like @rollup/rollup-linux-x64-gnu, @rollup/rollup-darwin-arm64, etc.

Suggested fix: Regenerate the lockfile by running pnpm install in the dashboard/ directory. This should properly apply the overrides from package.json. Verify the regenerated lockfile contains @rollup/wasm-node references.

[doubleword-code]

Non-blocking: TypeScript 6.0 introduces breaking changes that may affect this project.

Why it matters: According to the TypeScript 6.0 release notes, two key changes could impact this project:

1. types defaults to []: Previously all @types/* packages were auto-included. Now you must explicitly specify them. The project only has types configured in tsconfig.test.json.

2. baseUrl is deprecated: Used in tsconfig.json and tsconfig.app.json for path mapping @/* → ./src/*.

Suggested fix: Monitor for compilation errors after upgrading. If you see "Cannot find name 'process'" or similar errors, add "types": ["node"] to tsconfig.app.json and tsconfig.node.json. For the baseUrl deprecation, plan to migrate to explicit path prefixes when convenient.

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard. While TypeScript 6.0 brings new features (Temporal types, RegExp.escape, improved type inference), there are critical issues with the pnpm lockfile regeneration that block approval.

Verdict: Blocked - The pnpm-lock.yaml changes introduce serious issues that must be addressed before merging.

Research Notes

I reviewed the TypeScript 6.0 release notes and official documentation. Key findings:

1. Breaking Changes: TypeScript 6.0 introduces several breaking changes including types defaulting to [], rootDir defaulting to ., and deprecation of baseUrl for module resolution.

2. Security Advisory: The lockfile shows @ungap/structured-clone@1.3.0 is deprecated due to CWE-502 (deserialization vulnerability) and should be updated to 1.3.1+.

3. pnpm Overrides Issue: The lockfile's overrides section was removed, but package.json still specifies overrides for rollup, lodash, and mdast-util-to-hast. This means security patches and custom resolutions won't be applied.

Suggested Next Steps

1. Blocking: Regenerate pnpm-lock.yaml properly to preserve the overrides from package.json. Run pnpm install in the dashboard directory to regenerate the lockfile with overrides intact.

2. Blocking: Address the @ungap/structured-clone security vulnerability by updating to 1.3.1+ (may require updating a dependent package).

3. Non-blocking: Review tsconfig files for TypeScript 6.0 compatibility, particularly the deprecated baseUrl usage in tsconfig.app.json and root tsconfig.json.

General Findings

pnpm Overrides Lost (Critical)

The package.json specifies these pnpm overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the lockfile no longer contains the overrides section at the top. This is evident because:

• Lines 7-11 in the old lockfile had the overrides section, now removed
• The lockfile now resolves to rollup@4.60.3 instead of @rollup/wasm-node@4.60.3

Why it matters: The lodash override (^4.18.0) was likely added for security reasons (lodash has had multiple CVEs). The rollup WASM override may be intentional for cross-platform consistency. Losing these overrides could introduce security vulnerabilities or platform-specific build issues.

Suggested fix: Re-run pnpm install in the dashboard directory to regenerate the lockfile while preserving the overrides from package.json. Verify the regenerated lockfile includes the overrides section and resolves rollup to @rollup/wasm-node.

Security Advisory: @ungap/structured-clone@1.3.0

The lockfile marks @ungap/structured-clone@1.3.0 as deprecated with message: "Potential CWE-502 - Update to 1.3.1 or higher"

Why it matters: CWE-502 is "Deserialization of Untrusted Data" - a security vulnerability that could allow attackers to exploit deserialization logic.

Suggested fix: Identify which package depends on @ungap/structured-clone and update it, or add a pnpm override to force version 1.3.1+.

TypeScript 6.0 Breaking Changes (Future Concern)

The project uses baseUrl with paths in both tsconfig.json and tsconfig.app.json:

"baseUrl": ".",
"paths": {
  "@/*": ["./src/*"]
}

TypeScript 6.0 deprecates baseUrl when used for module resolution. The recommended migration is:

"paths": {
  "@/*": ["./src/*"]
}
// Remove baseUrl entirely

Additionally, types defaults to [] in TS 6.0. The tsconfig.test.json correctly specifies types explicitly, so this should be fine.

Why it matters: While this may work today, future TypeScript versions (especially 7.0) will remove support entirely. Early migration prevents technical debt.

Suggested fix: Consider removing baseUrl from tsconfig files and using explicit relative paths or keeping paths with full prefixes.

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard. While the TypeScript version bump itself appears compatible with the project's existing configuration, there is a critical regression in how the pnpm lockfile was regenerated.

Verdict: Blocked - The lockfile regeneration has dropped important pnpm overrides that were intentionally configured for security/compatibility reasons.

Research Notes

• TypeScript 6.0 Release Notes - Key changes include new defaults (strict: true, types: [], rootDir: .), deprecated options, and preparation for TypeScript 7.0's native port.
• typescript-eslint v8 compatibility - The project uses typescript-eslint ^8.46.2 which supports TypeScript 6.0 (the docs show compatibility with TypeScript >=4.8.4 <6.1.0).

Suggested Next Steps

1. Blocking: Re-run pnpm install in the dashboard directory to properly regenerate the lockfile with the overrides from package.json respected.
2. Verify that @rollup/wasm-node appears in the regenerated lockfile instead of the standard rollup package.
3. Run pnpm test and pnpm build to confirm TypeScript 6.0 doesn't introduce any type errors or build issues.

General Findings

Critical: pnpm overrides lost during lockfile regeneration

The original pnpm-lock.yaml had an overrides section at the top level that redirected rollup to npm:@rollup/wasm-node. This override was intentionally added (see git history) to use the WASM version of Rollup instead of the native binary. The regenerated lockfile has:

1. Removed the overrides section entirely from the lockfile header
2. Changed from @rollup/wasm-node@4.60.3 to standard rollup@4.60.3

While the package.json still contains the overrides in pnpm.overrides, they were not applied during lockfile regeneration. This suggests Renovate may have run pnpm install in a way that didn't respect these overrides, or there's a pnpm version mismatch.

The same applies to the lodash and mdast-util-to-hast overrides which were likely added for security patching purposes.

TypeScript 6.0 Compatibility Assessment

The project's tsconfig files are well-positioned for TypeScript 6.0 adoption:

• strict: true is already explicitly set (TS 6.0 default)
• noUncheckedSideEffectImports: true is already set (TS 6.0 default)
• moduleResolution: bundler is used (modern resolution strategy)
• types array is explicitly defined in tsconfig.test.json
• No deprecated compiler options are in use

The main TypeScript 6.0 breaking changes that could affect projects are:

• types now defaults to [] instead of auto-discovery - this project handles it correctly
• rootDir now defaults to . - not an issue since no explicit rootDir inference is relied upon
• Various deprecated options - none appear to be in use here

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:104 — This override is correctly specified in package.json, but it wasn't applied to the lockfile (see comment on pnpm-lock.yaml:7).
  • (demoted: line 104 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: The overrides section that was present in the original lockfile has been removed. The original file had:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides were intentionally configured in package.json to:

1. Use the WASM version of Rollup instead of native binaries (likely for security/compatibility)
2. Patch lodash to a secure version
3. Update mdast-util-to-hast for compatibility

The fact that these overrides aren't reflected in the regenerated lockfile indicates that pnpm install was run incorrectly, or the pnpm version used doesn't properly support the pnpm.overrides field in package.json.

Suggested fix: Re-run pnpm install in the dashboard directory to regenerate the lockfile with overrides properly applied. Verify by checking that @rollup/wasm-node appears in the packages section instead of standard rollup.

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard package, along with corresponding pnpm-lock.yaml updates. While TypeScript 6.0 itself is compatible with the existing toolchain (typescript-eslint v8.58.1 supports TS 6.0), there's a critical issue with how the lock file was regenerated.

Verdict: Blocked - The pnpm overrides have been silently dropped from the lock file, removing important security constraints.

Research notes

• TypeScript 6.0 Release Notes - TypeScript 6.0 introduces breaking changes including strict defaulting to true, types defaulting to [], and various deprecated options.
• typescript-eslint compatibility - Version 8.58.1 supports TypeScript >=4.8.4 <6.1.0, which includes 6.0.3.

Suggested next steps

1. Blocking: Regenerate the lock file while preserving the pnpm overrides from package.json. Run pnpm install in the dashboard directory with the overrides intact.
2. Test the build with TypeScript 6.0 to identify any new type errors from the stricter defaults (especially around types: [] potentially causing missing global type issues).
3. Verify that lodash 4.18.1 and mdast-util-to-hast 13.2.1+ are still being used after regenerating the lock file properly.

General findings

Critical: pnpm overrides removed from lock file

The original pnpm-lock.yaml contained these security overrides at the top level:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These have been completely removed in the updated lock file, even though they still exist in package.json. This means:

1. Security vulnerability override lost: The lodash override pins to ^4.18.0 due to known prototype pollution vulnerabilities in earlier versions. Without the override, transitive dependencies could resolve to vulnerable versions.

2. Rollup WASM → Native swap: The project intentionally used @rollup/wasm-node (likely for cross-platform consistency or sandboxing). The new lock file uses native platform-specific rollup packages instead (@rollup/rollup-linux-x64-gnu, @rollup/rollup-darwin-arm64, etc.).

3. mdast-util-to-hast override lost: This override was likely added to fix a specific compatibility issue.

The lock file should always respect the overrides in package.json. This appears to be a regeneration issue where pnpm install was run without properly reading the overrides section.

[doubleword-code]

Summary

This PR upgrades TypeScript from ~5.9.2 to ~6.0.0 in the dashboard package. TypeScript 6.0 is a major version release that serves as a bridge to TypeScript 7.0 (the native port) and introduces several breaking changes and deprecations.

Verdict: Needs changes before merging — while the upgrade itself is reasonable, there are configuration issues that need to be addressed to avoid breakage.

Research notes

Fetched the TypeScript 6.0 announcement and typescript-eslint dependency versions. Key findings:

1. typescript-eslint v8.x supports TypeScript 6.0 — The lockfile shows typescript-eslint@8.58.1 with typescript@6.0.3, confirming compatibility.

2. Breaking changes in TypeScript 6.0 that may affect this project:

   • types now defaults to [] instead of auto-including all @types/* packages
   • baseUrl is deprecated when used as a lookup root for module resolution
   • strict defaults to true (already explicitly set in your configs)
   • noUncheckedSideEffectImports defaults to true (already explicitly set)
   • Various other deprecations targeting TypeScript 7.0 removal

3. The pnpm-lock.yaml shows the overrides section was removed — The original lockfile had overrides for rollup, lodash, and mdast-util-to-hast. These should be preserved if still needed.

Suggested next steps

1. Blocking: Preserve the overrides section in pnpm-lock.yaml if those security patches are still needed (lodash ^4.18.0 suggests security fixes)
2. Blocking: Address the deprecated baseUrl usage in tsconfig.json and tsconfig.app.json
3. Non-blocking: Consider adding "types": ["node"] to tsconfig.app.json if Node.js globals are used
4. Run pnpm install, pnpm lint, and pnpm test to verify no new type errors appear

General findings

Breaking Change: baseUrl Deprecation

TypeScript 6.0 deprecated baseUrl as a module resolution lookup root. Your config uses:

// tsconfig.json & tsconfig.app.json
{
  "baseUrl": ".",
  "paths": {
    "@/*": ["./src/*"]
  }
}

In TypeScript 6.0+, this pattern should migrate to explicit path prefixes without baseUrl:

{
  "paths": {
    "@/*": ["./src/*"]
  }
}

The baseUrl acted as a catch-all that could resolve import x from "someModule" to ./someModule, which bundlers typically don't do. Since you're using moduleResolution: "bundler", removing baseUrl aligns better with runtime behavior.

Security Override Removal

The diff shows the overrides section was removed from pnpm-lock.yaml:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

The lodash: ^4.18.0 override specifically looks like a security patch (lodash had prototype pollution vulnerabilities). Verify these overrides are either:

• No longer needed due to transitive dependency updates, OR
• Preserved in package.json's pnpm.overrides field

TypeScript 6.0 Compatibility

The typescript-eslint@^8.46.2 in package.json resolves to 8.58.1 which does support TypeScript 6.0.3 per the lockfile. However, if you encounter version mismatch warnings, ensure all typescript-eslint packages are on compatible versions.

Testing Recommendation

After any TypeScript major version upgrade, run:

cd dashboard
pnpm install
pnpm lint
pnpm test
pnpm build

Pay special attention to any new errors around:

• Missing global types (due to types: [] default)
• Import resolution changes
• Union type ordering in declaration files (if you emit .d.ts files)

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard package. While TypeScript 6.0 is compatible with the project's tooling (typescript-eslint@8.58.1 supports TS <6.1.0, MSW supports TS >=4.8), this PR introduces a critical regression: the pnpm overrides defined in package.json are no longer reflected in the regenerated lockfile.

Verdict: Blocked - The missing overrides represent security and compatibility regressions that must be addressed before merging.

Research notes

• Fetched TypeScript 6.0 announcement - confirmed breaking changes and deprecations
• Verified typescript-eslint@8.58.1 peer dependencies: typescript: ">=4.8.4 <6.1.0" - TS 6.0.3 is within range
• Verified MSW@2.13.2 peer dependencies: typescript: ">= 4.8.x" - compatible
• Checked pnpm lockfile format v9.0 - overrides section should appear at top level under settings

Suggested next steps

1. Blocking: Restore pnpm overrides in the lockfile. Run pnpm install --force or investigate why pnpm is not respecting the overrides in package.json:

   "pnpm": {
     "overrides": {
       "rollup": "npm:@rollup/wasm-node",
       "lodash": "^4.18.0",
       "mdast-util-to-hast": "^13.2.1"
     }
   }

2. Non-blocking: Consider explicitly adding "types": [] to tsconfig files to acknowledge the TS 6.0 default change and avoid future confusion.

3. Non-blocking: The baseUrl option is deprecated in TypeScript 6.0 (will be removed in 7.0). Consider migrating path mappings to use explicit prefixes instead.

General findings

TypeScript 6.0 Breaking Changes Impact

The project's tsconfigs explicitly set most options that changed defaults in TS 6.0 (strict: true, noUncheckedSideEffectImports: true, target: "ES2022"), so most breaking changes are already accounted for. However:

• types field: TS 6.0 now defaults types to [] instead of auto-including all @types/* packages. The test config explicitly specifies types: ["vitest/globals", "@testing-library/jest-dom"], which is correct. No global @types/node usage detected outside tests.
• baseUrl deprecation: Both tsconfig.json and tsconfig.app.json use baseUrl: "." which is deprecated. Migration path: remove baseUrl and add ./src/ prefix to path mappings.

Rollup Override Loss

The original lockfile used @rollup/wasm-node (WASM-based Rollup) via pnpm override, likely to avoid native binding issues in CI/Docker environments. The new lockfile uses native platform-specific Rollup packages (@rollup/rollup-linux-x64-gnu, etc.). This may cause build failures in environments without proper native compilation support.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/pnpm-lock.yaml:66 — Native Rollup packages are now installed instead of @rollup/wasm-node. Lines 66-138 show platform-specific native packages like @rollup/rollup-linux-x64-gnu, @rollup/rollup-darwin-arm64, etc.
  • (demoted: line 66 (side=RIGHT) is not part of any diff hunk in dashboard/pnpm-lock.yaml)

[doubleword-code]

Blocking: The entire overrides section has been removed from the lockfile. This means the pnpm overrides specified in package.json are not being applied:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

Why it matters:

• rollup: The WASM version was intentionally chosen, likely to avoid native binding issues in CI/Docker. Native rollup packages may fail in certain environments.
• lodash: The ^4.18.0 override addresses CVE-2021-23337 (Command Injection) and other vulnerabilities in earlier versions. Without this, vulnerable lodash versions could be transitive dependencies.
• mdast-util-to-hast: The ^13.2.1 override fixes specific bugs or compatibility issues.

Suggested fix: Regenerate the lockfile ensuring pnpm respects the overrides. Try:

rm dashboard/pnpm-lock.yaml
cd dashboard && pnpm install

If overrides still don't appear, check pnpm version compatibility with lockfileVersion 9.0.

[doubleword-code]

Non-blocking: TypeScript version updated to ~6.0.0 (resolves to 6.0.3).

Why it matters: TypeScript 6.0 is compatible with your tooling chain:

• typescript-eslint@8.58.1 supports typescript >=4.8.4 <6.1.0 ✓
• MSW@2.13.2 supports typescript >= 4.8.x ✓
• Vite, Vitest, and other dependencies are compatible

However, TS 6.0 introduces breaking changes. Your tsconfigs already handle most of them by explicitly setting:

• strict: true (TS 6.0 default)
• noUncheckedSideEffectImports: true (TS 6.0 default)
• target: "ES2022" (overrides TS 6.0's es2025 default)

Caveat: The baseUrl option used in both tsconfig.json and tsconfig.app.json is deprecated in TS 6.0 and will be removed in TS 7.0. Consider migrating to explicit path prefixes:

"paths": {
  "@/*": ["./src/*"]
}
// instead of baseUrl + paths

Suggested fix: No immediate action required, but plan to migrate away from baseUrl before adopting TypeScript 7.0.

[doubleword-code]

Summary

This PR updates TypeScript from ~5.9.2 to ~6.0.0 in the dashboard application. While TypeScript 6.0 is a major version upgrade with several breaking changes and deprecations, the project's current configuration appears well-positioned for most of these changes. However, there is a critical issue with the pnpm overrides being lost in the lock file that must be addressed before this can be merged.

Verdict: BLOCKED - The removal of pnpm overrides from the lock file introduces security vulnerabilities and potential compatibility issues that must be fixed.

Research notes

I reviewed the TypeScript 6.0 release notes and official documentation. Key changes include:

• Breaking changes: baseUrl is deprecated, types now defaults to [], strict defaults to true
• Deprecations: target: es5, --downlevelIteration, --moduleResolution node/node10, amd/umd/systemjs module values, --esModuleInterop false, --alwaysStrict false, outFile, legacy module syntax for namespaces, asserts keyword on imports, no-default-lib directives
• New features: es2025 target/lib, Temporal types, getOrInsert Map methods, RegExp.escape, improved type inference for this-less functions

Suggested next steps

1. BLOCKING: Restore pnpm overrides in the lock file by regenerating it with pnpm install to ensure security patches for lodash and mdast-util-to-hast are applied, and the WASM version of rollup is used
2. Consider removing the deprecated baseUrl option from tsconfig files and updating path mappings to use explicit prefixes
3. Add explicit types arrays to tsconfig.app.json and tsconfig.node.json to avoid pulling in unnecessary @types packages
4. Run the full test suite after fixing the overrides to verify TypeScript 6.0 compatibility

General findings

Critical: pnpm overrides removed from lock file

The package.json specifies important pnpm overrides:

• rollup: npm:@rollup/wasm-node - WASM version for cross-platform compatibility
• lodash: ^4.18.0 - Security patch for known vulnerabilities
• mdast-util-to-hast: ^13.2.1 - Compatibility/security fix

These overrides are present in package.json but were removed from pnpm-lock.yaml. This means the lockfile will NOT enforce these security patches and compatibility fixes, potentially exposing the project to known vulnerabilities.

Additionally, the lock file now resolves to native platform-specific rollup binaries (@rollup/rollup-linux-x64-gnu, etc.) instead of the WASM version, which could cause issues in certain environments.

TypeScript 6.0 Breaking Changes Assessment

Good news: The project already explicitly sets strict: true, so that default change won't affect it. The test config already specifies types explicitly.

Needs attention:

• baseUrl is deprecated in TypeScript 6.0. The project uses "baseUrl": "." with "paths": { "@/*": ["./src/*"] } in all three tsconfig files. Per TypeScript 6.0 docs, developers should remove baseUrl and add explicit prefixes to paths: "@/*": ["./src/*"] becomes "@/*": ["src/*"] (since baseUrl was ".").
• The types field defaults to [] in TS 6.0. While tsconfig.test.json explicitly sets types, tsconfig.app.json and tsconfig.node.json do not. This should generally be fine since they don't rely on global types, but it's worth verifying the build works correctly.

Rollup resolution change

The lock file changed from @rollup/wasm-node@4.60.3 to platform-specific native binaries. This is a consequence of losing the pnpm override. The native binaries should work fine for most cases, but the WASM version was likely chosen for specific compatibility reasons.

[doubleword-code]

Summary

This PR updates TypeScript from version 5.9.x to 6.0.0 in the dashboard package. TypeScript 6.0 is a significant release that serves as a bridge to TypeScript 7.0 (the native port). The update appears mostly straightforward, but there are some important considerations:

Verdict: Needs changes before merging - there's a mismatch between package.json overrides and the lockfile.

Research notes

I reviewed the TypeScript 6.0 announcement which highlights several breaking changes and deprecations:

1. baseUrl is deprecated - The project uses baseUrl in tsconfig.app.json and tsconfig.json with path mappings (@/*). While this still works in 6.0, it will be removed in 7.0.
2. types defaults to [] - Previously defaulted to loading all @types packages. The project already explicitly sets types in tsconfig.test.json, so this won't affect tests.
3. strict defaults to true - The project already has strict: true explicitly set, so no impact.
4. Rollup structure changes - The lockfile now resolves to native rollup packages instead of the WASM version.

Suggested next steps

1. Blocking: Resolve the mismatch between package.json pnpm overrides and the lockfile. Either:

   • Remove the rollup: "npm:@rollup/wasm-node" override from package.json if native rollup is intended (recommended)
   • Or re-run pnpm install to ensure the lockfile matches the package.json overrides

2. Non-blocking: Consider migrating away from baseUrl in tsconfig files to prepare for TypeScript 7.0. Replace:

   {
     "baseUrl": ".",
     "paths": {
       "@/*": ["./src/*"]
     }
   }

   With just:

   {
     "paths": {
       "@/*": ["./src/*"]
     }
   }

3. Run pnpm install after any changes to ensure lockfile consistency.

General findings

1. Dependency compatibility: typescript-eslint 8.58.1 supports TypeScript 6.0 (peer dependency range: typescript: '>=4.8.4 <6.1.0'). MSW 2.13.2 also lists TypeScript 6.0 as an optional dependency.

2. Lockfile overrides removed: The pnpm-lock.yaml had its top-level overrides section removed during regeneration. This includes:

   • rollup: npm:@rollup/wasm-node
   • lodash: ^4.18.0
   • mdast-util-to-hast: ^13.2.1

   However, these overrides are still present in package.json. This discrepancy needs resolution.

3. Rollup migration: The lockfile now uses native rollup (rollup@4.60.3) with platform-specific optional dependencies instead of the WASM version. This is generally a positive change for performance, but should be intentional.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:104 — There's a mismatch between this override and the pnpm-lock.yaml.
  • (demoted: line 104 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)
• Non-blocking dashboard/tsconfig.app.json:23 — baseUrl is deprecated in TypeScript 6.0 and will be removed in 7.0.
  • (demoted: path "dashboard/tsconfig.app.json" is not in the PR diff)

[doubleword-code]

Summary

This PR upgrades the dashboard from TypeScript ~5.9.2 to ~6.0.0, a major version update that serves as a bridge to TypeScript 7.0's native port. The change affects package.json and regenerates pnpm-lock.yaml with updated peer dependency resolutions.

Verdict: Needs changes before merge — while the upgrade itself is reasonable, there are configuration deprecation warnings that should be addressed and a concerning removal of pnpm overrides that needs verification.

Research notes

I reviewed the official TypeScript 6.0 release notes and documentation. Key findings:

1. TypeScript 6.0 is a transition release preparing for TypeScript 7.0's native Go-based compiler. It introduces new defaults and deprecations to align with modern development practices.

2. Breaking default changes:

   • strict now defaults to true
   • types now defaults to [] (empty array) instead of auto-including all @types/* packages
   • rootDir now defaults to . instead of being inferred
   • module defaults to esnext
   • noUncheckedSideEffectImports defaults to true

3. Deprecations requiring attention:

   • baseUrl is deprecated — projects should add explicit prefixes to paths entries
   • target: es5, --downlevelIteration, --moduleResolution node/classic, AMD/UMD/SystemJS modules, outFile, legacy module syntax for namespaces, import asserts keyword

4. Security note: The lockfile shows @ungap/structured-clone@1.3.0 has a deprecation warning about "Potential CWE-502" recommending update to 1.3.1+.

Suggested next steps

1. Blocking: Verify the removal of pnpm overrides in pnpm-lock.yaml — the diff shows these were removed:

   overrides:
     rollup: npm:@rollup/wasm-node
     lodash: ^4.18.0
     mdast-util-to-hast: ^13.2.1

   These security/pinning overrides should be preserved in package.json if still needed.

2. Non-blocking: Address the deprecated baseUrl usage in tsconfig.app.json and tsconfig.json by migrating to explicit path prefixes.

3. Non-blocking: Consider adding explicit "types": ["node"] or similar to tsconfig files to avoid unintended global type inclusion and improve build performance.

General findings

pnpm Overrides Removal (Needs Investigation)

The diff shows the overrides section was completely removed from pnpm-lock.yaml. In the original package.json, these overrides are still present:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the lockfile no longer contains the overrides: section at the top level. This could indicate:

• The overrides were intentionally removed because they're no longer needed
• The pnpm version changed how overrides are represented
• There's a risk the security patches (lodash, structured-clone) are no longer enforced

Action required: Verify whether these overrides are still necessary and ensure they're properly represented in the regenerated lockfile.

Deprecated baseUrl Usage

Both tsconfig.app.json and tsconfig.json use baseUrl: "." which is deprecated in TypeScript 6.0. Per the official migration guidance, the fix is to remove baseUrl and add explicit prefixes to paths:

// Before (deprecated)
{
  "baseUrl": ".",
  "paths": { "@/*": ["./src/*"] }
}

// After
{
  "paths": { "@/*": ["src/*"] }
}

This won't break immediately but will show deprecation warnings and will fail in TypeScript 7.0.

Missing Explicit types Array

TypeScript 6.0 changes types to default to [] instead of auto-including all @types/* packages. While tsconfig.test.json correctly specifies "types": ["vitest/globals", "@testing-library/jest-dom"], the main tsconfig.app.json doesn't specify a types array. This is likely fine since the app probably doesn't need global types, but teams should be aware this could cause "Cannot find name" errors for previously-available globals like process or Node.js built-ins if they were implicitly relied upon.

Build Performance Impact

Per Microsoft's research, projects that explicitly set types to only what's needed (e.g., ["node"] or ["*"] to restore old behavior) see 20-50% build time improvements. This upgrade is an opportunity to audit global type dependencies.