chore: update dependencies

[gameroman]

Summary by CodeRabbit

• Chores
  • Updated project dependencies to latest versions, including infinibrowser to 0.9.0
  • Enhanced CI pipeline with dedicated linting step
  • Updated Renovate configuration for improved dependency management

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	userscripts	7d44751	Commit Preview URL Branch Preview URL	May 16 2026, 11:56 AM

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the CI workflow to separate linting from the build step, pins all dependencies and devDependencies to exact versions, switches Renovate configuration to use a local preset, and corrects optional chaining logic in the build config's serializeHeader function.

Changes

Configuration and Build Infrastructure

Layer / File(s)	Summary
CI Workflow Linting Setup .github/workflows/ci.yml	Node.js 24.x setup step added; bun run lint now runs as a dedicated step before build in the "Lint and Build" phase.
Dependency and Renovate Configuration Updates package.json, renovate.json	infinibrowser and dev dependencies pinned to exact versions; Renovate extends switches from config:recommended to local>gameroman/renovate-config.
Build Config Optional Chaining Fix src/build/config.ts	serializeHeader condition uses direct opts.rootDir instead of optional chaining when validating before inferHeaderFields call.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 The workflow now lints with pride, so clear and bright,
Dependencies pinned to versions that feel just right,
Renovate learns local custom ways,
And config chains shed optional haze—
A tidy update, clean delight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: update dependencies' accurately describes the primary changes in the PR, which involves updating package.json dependencies, CI workflow configuration, and Renovate settings.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-dependencies

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (1)

18-22: Consider removing Node.js setup if the build and lint scripts don't require it.

The setup includes Node.js 24.x (which is valid and in Active LTS) alongside Bun, but neither your build script (bun ./src/build) nor lint script (oxlint) explicitly requires Node.js. If these are the only tools running in the workflow, the Node.js setup step may be redundant. If other scripts or dependencies depend on Node.js being available, clarify this in a comment or document the requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 18 - 22, The CI workflow currently
installs Node via the actions/setup-node step (uses: actions/setup-node and
node-version: 24.x) even though the job runs Bun-based build and lint (bun
./src/build and oxlint) and may not need Node; either remove the
actions/setup-node step entirely to avoid redundant setup, or if Node is
required elsewhere, keep it but add a comment explaining why Node 24.x is
necessary and which scripts depend on it (e.g., mention bun ./src/build or
oxlint) so the requirement is explicit.

package.json (1)

15-25: Consider the implications of pinning all dependencies.

All dependencies have been pinned to exact versions (removing ^ prefixes). This approach:

✅ Pros: Ensures reproducible builds and prevents unexpected breaking changes
⚠️ Cons: Requires active dependency management to receive security patches and bug fixes

Since you've also updated Renovate configuration (in renovate.json), ensure your local Renovate preset is configured to handle pinned dependencies appropriately by creating PRs for updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 15 - 25, You pinned all deps/devDeps in
package.json (the "dependencies" and "devDependencies" blocks) which prevents
automatic minor/patch updates; update your Renovate configuration
(renovate.json) or preset to ensure it opens PRs for pinned-version updates
(enable bumping of exact versions or schedule weekly/monthly updates and set
pinVersionPolicies) so security/bugfix releases are still proposed — adjust
renovate.json to include rules targeting package.json pins and verify the preset
used by `@your-org` triggers PRs for exact versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 15: The package upgrade introduced oxlint v1.64.0 which contains a
breaking change in its LSP module (it prevents applying "fixAll" code actions),
so either pin oxlint to a pre-1.64.x version (e.g., set oxlint dependency to
1.63.0) or update the LSP integration that relies on fixAll to use individual
code actions or a new supported command; locate the dependency entry for
"oxlint" in package.json and change the version specifier to a safe pinned
version or adjust the LSP client code that invokes the "fixAll" code action to
use alternatives compatible with oxlint v1.64.0.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 18-22: The CI workflow currently installs Node via the
actions/setup-node step (uses: actions/setup-node and node-version: 24.x) even
though the job runs Bun-based build and lint (bun ./src/build and oxlint) and
may not need Node; either remove the actions/setup-node step entirely to avoid
redundant setup, or if Node is required elsewhere, keep it but add a comment
explaining why Node 24.x is necessary and which scripts depend on it (e.g.,
mention bun ./src/build or oxlint) so the requirement is explicit.

In `@package.json`:
- Around line 15-25: You pinned all deps/devDeps in package.json (the
"dependencies" and "devDependencies" blocks) which prevents automatic
minor/patch updates; update your Renovate configuration (renovate.json) or
preset to ensure it opens PRs for pinned-version updates (enable bumping of
exact versions or schedule weekly/monthly updates and set pinVersionPolicies) so
security/bugfix releases are still proposed — adjust renovate.json to include
rules targeting package.json pins and verify the preset used by `@your-org`
triggers PRs for exact versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5c7e0d55-f8dc-47af-a09c-4fa8750f4a2e

📥 Commits

Reviewing files that changed from the base of the PR and between a8f3d07 and 7d44751.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• package.json
• renovate.json
• src/build/config.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify each upgraded package version exists
packages=(
  "infinibrowser@0.9.0"
  "`@infinite-craft/dom-types`@0.0.4"
  "oxfmt@0.49.0"
  "oxlint@1.64.0"
  "wrangler@4.90.1"
)

for pkg in "${packages[@]}"; do
  echo "Checking $pkg..."
  npm view "$pkg" version 2>/dev/null || echo "❌ $pkg not found"
done

# Check for security advisories
echo -e "\n=== Security Advisories ==="
npm audit --package-lock-only 2>/dev/null || echo "Run 'npm audit' after installing to check for vulnerabilities"

Repository: rmandotdev/userscripts

Length of output: 345

---

🏁 Script executed:

#!/bin/bash
# Check security vulnerabilities using npm view to get package info
packages=(
  "infinibrowser@0.9.0"
  "`@infinite-craft/dom-types`@0.0.4"
  "oxfmt@0.49.0"
  "oxlint@1.64.0"
  "wrangler@4.90.1"
)

for pkg in "${packages[@]}"; do
  echo "=== $pkg ==="
  npm view "$pkg" description 2>/dev/null | head -1
  npm view "$pkg" time.modified 2>/dev/null || echo "Unknown"
  echo ""
done

# Try to check if there's a vulnerabilities report
echo "=== Vulnerability Check ==="
npm audit --json 2>/dev/null | python3 <<'PYEOF'
import json
import sys
try:
    data = json.load(sys.stdin)
    if 'vulnerabilities' in data:
        print(json.dumps(data['vulnerabilities'], indent=2))
    else:
        print("No vulnerabilities found in audit")
except:
    print("Unable to parse audit results")
PYEOF

Repository: rmandotdev/userscripts

Length of output: 662

---

🌐 Web query:

infinibrowser 0.9.0 breaking changes security vulnerabilities

💡 Result:

There is no software package named "infinibrowser" that has reached version 0.9.0. The Python package "infinibrowser" available on PyPI is a simple API wrapper for the Infinite Craft Browser website [1][2][3]. As of May 16, 2026, the latest version of this package is 0.1.3, which was released on July 10, 2025 [1][2][3]. Security databases, such as Safety DB, report no known security vulnerabilities for the "infinibrowser" package [1]. It is possible that the query may be confusing "infinibrowser" with other similarly named projects or recent security incidents in the AI and browser automation space, such as: - Vulnerabilities in other AI-related tools (e.g., the Cline Kanban WebSocket vulnerability [4] or LiteLLM SQL injection [5]). - Other software with "Infini" in the name, such as the INFINI Framework, which has documented breaking changes in its release notes [6][7], or "Infinite Image Browsing," which has had past security issues [8]. If you are referring to a different piece of software, please verify the exact name and version number.

Citations:

• 1: https://data.safetycli.com/packages/pypi/infinibrowser/
• 2: https://www.piwheels.org/project/infinibrowser
• 3: https://pypi.org/project/infinibrowser/0.1.3/
• 4: https://www.infosecurity-magazine.com/news/cline-kanban-websocket-hijack-ai/
• 5: https://www.abhs.in/blog/litellm-cve-2026-42208-sql-injection-ai-gateway-api-keys-exploited-2026
• 6: https://docs.infinilabs.com/framework/v1.1.5/docs/release-notes/
• 7: https://docs.infinilabs.com/framework/main/docs/release-notes/
• 8: Security Vulnerability: Unauthenticated Local File Inclusion zanllp/infinite-image-browsing#387

---

🌐 Web query:

@infinite-craft/dom-types 0.0.4 release notes changes

💡 Result:

The package @infinite-craft/dom-types version 0.0.4 is a TypeScript package that provides type declarations for the Infinite Craft DOM tree and client API [1]. As of May 16, 2026, there are no publicly available, formal release notes or a detailed changelog documenting the specific changes for version 0.0.4 [1]. The package is maintained by the user gameroman on npm [1].

Citations:

• 1: https://www.npmjs.com/~gameroman

---

🌐 Web query:

oxfmt 0.49.0 oxlint 1.64.0 breaking changes

💡 Result:

In the release of oxlint v1.64.0 and oxfmt v0.49.0 (published May 11, 2026), the following breaking change was documented for oxlint: - oxlint/lsp: The project now prevents fixing suggestions on "fixAll" code actions and commands [1][2]. There were no breaking changes explicitly listed for oxfmt v0.49.0 in the official release notes [1][2]. For context, the Oxc project maintains a versioning policy where major versions (x.0.0) are reserved for breaking changes to the CLI or configuration format [3]. Minor versions (1.x.0) are used for new rules, features, and diagnostics, which are not considered breaking changes even if they result in new lint errors [3]. Features such as custom plugins and type-aware linting are explicitly excluded from semantic versioning and may introduce breaking changes at any time [3].

Citations:

• 1: https://github.com/oxc-project/oxc/releases/tag/apps_v1.64.0
• 2: https://github.com/oxc-project/oxc/releases
• 3: https://oxc.rs/docs/guide/usage/linter/versioning

---

🌐 Web query:

wrangler 4.90.1 release notes breaking changes security

💡 Result:

Wrangler version 4.90.1, released on May 12, 2026, is a patch release that contains no breaking changes [1]. The release focuses on stability and bug fixes, including: - Dependency updates: Updated dependencies for "miniflare" and "wrangler," including bumping the "workerd" runtime to version 1.20260508.1 [1]. - JSON output improvements: Fixed an issue where the beta/open-beta status banner would incorrectly appear in JSON output when printBanner: false was configured [1]. - wrangler dev stability: - Resolved an issue where wrangler dev would hang on shutdown when remote bindings were present [1]. - Fixed a race condition in RemoteProxySession.updateBindings to ensure the remote worker finishes reloading before the operation resolves [1]. - Fixed an unhandled AbortError that occurred when the remote tail WebSocket was closed during bundle rebuilds or session shutdowns [1]. There are no specific security vulnerabilities or security-related breaking changes documented for this version [1]. Users are encouraged to review the official release notes on the Cloudflare Workers SDK GitHub repository for full details [1][2].

Citations:

• 1: https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%404.90.1
• 2: https://github.com/cloudflare/workers-sdk/releases

---

Note oxlint v1.64.0 breaking change in LSP module.

Package versions have been verified as existing on npm registries. All upgrades are safe except oxlint 1.64.0, which includes a breaking change: the LSP module now prevents fixing suggestions on "fixAll" code actions and commands. This may affect IDE integrations relying on the Language Server Protocol. No security vulnerabilities were found in any of the upgraded packages.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 15, The package upgrade introduced oxlint v1.64.0 which
contains a breaking change in its LSP module (it prevents applying "fixAll" code
actions), so either pin oxlint to a pre-1.64.x version (e.g., set oxlint
dependency to 1.63.0) or update the LSP integration that relies on fixAll to use
individual code actions or a new supported command; locate the dependency entry
for "oxlint" in package.json and change the version specifier to a safe pinned
version or adjust the LSP client code that invokes the "fixAll" code action to
use alternatives compatible with oxlint v1.64.0.