chore(deps): bump workbox-precaching from 7.3.0 to 7.4.0 #5614
Conversation
Bumps [workbox-precaching](https://github.com/googlechrome/workbox) from 7.3.0 to 7.4.0. - [Release notes](https://github.com/googlechrome/workbox/releases) - [Commits](GoogleChrome/workbox@v7.3.0...v7.4.0) --- updated-dependencies: - dependency-name: workbox-precaching dependency-version: 7.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: workbox-precaching 7.3.0 → 7.4.0
Semver risk: Minor
Dependency type: Production
CI status: All checks passing (build, frontend tests, linting)
Changelog Analysis
Sources consulted:
The v7.4.0 release notes state: "Critical dependency updates." Inspecting the commits between v7.3.0 and v7.4.0 confirms this is a housekeeping release:
5083f3fUpdate dependencies (npm audit)076adc0Bump js-yaml from 3.14.1 to 3.14.25456074/90fd893Bump glob from 11.0.1 to 11.1.0ee97746Bump pbkdf2 from 3.1.2 to 3.1.3d971ff7/b6825a9Update GitHub Actions to latest versions
Breaking changes: None found.
Deprecations: None found.
Security fixes: The release is described as "critical dependency updates" — the pbkdf2 and js-yaml bumps address known vulnerabilities in those transitive dependencies.
Compatibility Assessment
- Project usage is minimal: single
import { precacheAndRoute } from 'workbox-precaching'incontentcuration/contentcuration/frontend/serviceWorker/index.js - No API changes in this release —
precacheAndRouteis unchanged - No new peer dependency requirements
- No code changes required
- No prior failed attempts for this upgrade
Note on lockfile: workbox-precaching@7.4.0 pulls in workbox-routing@7.4.0 and workbox-strategies@7.4.0 transitively. The direct dependencies workbox-routing and workbox-strategies in package.json are still specified as ^7.3.0, so both 7.3.0 and 7.4.0 versions now appear in the lockfile. This is harmless but could be cleaned up by bumping those specifiers to ^7.4.0 as well for consistency.
New npm publisher: This version was published by swissspidy (Pascal Birchler), a known Google Chrome/WordPress contributor and Workbox maintainer.
Recommendation
APPROVE — Minor version bump with only internal dependency updates. No API changes, CI passes, minimal project usage. Safe to merge.
| "vuex": "^3.0.1", | ||
| "workbox-core": "^7.4.0", | ||
| "workbox-precaching": "^7.3.0", | ||
| "workbox-precaching": "^7.4.0", |
There was a problem hiding this comment.
nitpick: With workbox-precaching now at ^7.4.0, its transitive deps (workbox-routing, workbox-strategies) resolve to 7.4.0 in the lockfile, while the direct specifiers on lines 106-108 are still ^7.3.0. Consider bumping workbox-routing, workbox-strategies, and workbox-window to ^7.4.0 as well for consistency. Not blocking — both versions are compatible and this can be done in a follow-up.
1 participant
Bumps workbox-precaching from 7.3.0 to 7.4.0.
Release notes
Sourced from workbox-precaching's releases.
Commits
fa702fev7.4.0c34bf28Merge pull request #3441 from GoogleChrome/chore/npm-auditcf21cb6Merge pull request #3440 from GoogleChrome/chore/update-actions5083f3fUpdate dependenciescf91300Merge pull request #3439 from GoogleChrome/dependabot/npm_and_yarn/js-yaml-3....b6825a9Update upload-sarif actiond971ff7Update GitHub Actions to latest versions076adc0Bump js-yaml from 3.14.1 to 3.14.269478fdMerge pull request #3433 from GoogleChrome/dependabot/npm_and_yarn/packages/w...0d9b8b3Merge pull request #3434 from GoogleChrome/dependabot/npm_and_yarn/glob-11.1.0Maintainer changes
This version was pushed to npm by swissspidy, a new releaser for workbox-precaching since your current version.
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)