Security Alert Burndown: Dependabot bundling plan (2026-01-29)

[pelikhan]

Context

This issue tracks Dependabot PR bundling work discovered by the Security Alert Burndown campaign.

Bundling Rules

• Group work by runtime. Never mix runtimes.
• Group changes by target dependency file (one manifest + its lockfile).
• Patch/minor updates may be bundled; major updates should be isolated unless tightly coupled.
• Bundled releases must include a research report (packages, versions, breaking changes, migration, risk, tests).

Planned Bundles

Node.js — actions/setup/js/package.json

PRs:

• Bump @vitest/coverage-v8 from 4.0.17 to 4.0.18 in /actions/setup/js #12017 - Bump @vitest/coverage-v8 from 4.0.17 to 4.0.18 (patch update)
• Bump @types/node from 25.0.9 to 25.0.10 in /actions/setup/js #12016 - Bump @types/node from 25.0.9 to 25.0.10 (patch update)
• Bump prettier from 3.8.0 to 3.8.1 in /actions/setup/js #12014 - Bump prettier from 3.8.0 to 3.8.1 (patch update)
• Bump @vitest/ui from 4.0.17 to 4.0.18 in /actions/setup/js #12011 - Bump @vitest/ui from 4.0.17 to 4.0.18 (patch update)

Bundle recommendation: All are patch updates to testing/dev tools in the same manifest. Can be safely bundled.

Node.js — actions/setup/js/package.json (major update - separate)

PRs:

• Bump @actions/github from 7.0.0 to 8.0.0 in /actions/setup/js #12012 - Bump @actions/github from 7.0.0 to 8.0.0 (major update)

Bundle recommendation: Major version update should be isolated. Research breaking changes before merging.

Node.js — docs/package.json

PRs:

• Bump astro from 5.16.12 to 5.16.15 in /docs #12015 - Bump astro from 5.16.12 to 5.16.15 (patch update)
• Bump @astrojs/starlight from 0.37.3 to 0.37.4 in /docs #12013 - Bump @astrojs/starlight from 0.37.3 to 0.37.4 (patch update)
• Bump @playwright/test from 1.57.0 to 1.58.0 in /docs #12010 - Bump @playwright/test from 1.57.0 to 1.58.0 (minor update)

Bundle recommendation: Documentation tooling updates in same manifest. Can be bundled together.

Node.js — .github/workflows dependencies

PRs:

• Bump hono from 4.11.4 to 4.11.7 in /.github/workflows #12099 - Bump hono from 4.11.4 to 4.11.7 (patch update with security fixes)
• Bump @sentry/mcp-server from 0.27.0 to 0.29.0 in /.github/workflows #12009 - Bump @sentry/mcp-server from 0.27.0 to 0.29.0 (minor update)

Bundle recommendation: Both are workflow runtime dependencies. Security fix should be prioritized but can be bundled with the Sentry update.

Agent Task

1. For each bundle section above, research each update for breaking changes and summarize risks.
2. Bundle PRs per section into a single PR (one runtime + one manifest).
3. Ensure CI passes; run relevant runtime tests.
4. Add the research report to the bundled PR.
5. Update this issue checklist as PRs are merged.

AI generated by Security Alert Burndown