build(deps-dev): Bump globals from 17.6.0 to 17.7.0 in /webui#331
Conversation
Bumps [globals](https://github.com/sindresorhus/globals) from 17.6.0 to 17.7.0. - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v17.6.0...v17.7.0) --- updated-dependencies: - dependency-name: globals dependency-version: 17.7.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Bug Scan Summary
Date: 2026-07-12
Commits inspected: 949198b..36fc03e (PR #331 — globals 17.6.0 → 17.7.0)
Result: No critical bugs found.
PR #331 analysis
- Scope:
webui/package.json+ lockfile only; bumps devDependencyglobals. - Usage traced: sole consumer is
webui/eslint.config.js(globals.browserfor ESLintno-undef). Not bundled into production; not on any runtime path. - Package delta (17.6.0 → 17.7.0): adds browser global identifiers only (
CSSFontFaceDescriptors,LanguageModel,DOMMatrix, etc.). No removals or semantic changes. - Validation:
npm run lintclean;npx vitest run154/154 pass on bumped lockfile.
Broader master scan (since 2026-07-11)
Also inspected new master commits 8f3fdcc (#331, merged) and 0b71d17 (#333 immer 11.1.8→11.1.11, merged). Immer patch includes prototype-pollution hardening — net positive; produce() usage in ConfigView.tsx unchanged.
Pre-existing critical regressions from v6.12.4 (f49384b) remain on master (Branch 14 IsFileFiltered gate; IsImportedAsync fail-open on Arr API errors). Fix already tracked in draft PR #330 — no duplicate PR opened.
Deduplication check:
- Open PRs:
globals,import finalize,IsFileFiltered,IsImportedAsync— #330 (import fix, draft); #331/#333 dep-only/merged - Recently merged (14d): #331, #333, #328, #327, #326, #325, #324 — all dependency bumps
- Open issues: 0 matching import/globals keywords
- Conclusion: no new fix needed for this PR.
Sent by Cursor Automation: Torrentarr - Find critical bugs
There was a problem hiding this comment.
PR Validation (Cursor Automation)
Recommendation: Merge
Primary reason: The PR head merges cleanly with current origin/master, and all requested .NET and webui validation gates pass. GitHub currently reports this PR as already merged; validation found no blockers in the merged dependency update.
Gates
| Gate | Status | Notes |
|---|---|---|
| Merge conflicts | Pass | Fetched PR via refs/pull/331/head because the Dependabot branch ref is gone after merge; git merge origin/master completed cleanly with no conflicts. |
dotnet build |
Pass | dotnet build -c Release succeeded with 0 warnings and 0 errors after installing a temporary .NET 10 SDK in the validation environment. |
dotnet test (non-live) |
Pass | dotnet test -c Release --no-build --filter "Category!=Live" passed: Core 173, Infrastructure 403, Host 203; 779 total, 0 failed, 0 skipped. No test-count regression below baseline. |
vitest |
Pass | npx vitest run passed: 16 files, 154 tests. |
npm run build (webui) |
Pass | Required because webui/ changed; tsc -b && vite build succeeded. |
Validation
| Axis | Score | Notes |
|---|---|---|
| Purpose | Pass | Dependabot dev-dependency maintenance bump for globals from 17.6.0 to 17.7.0 in webui/. |
| Correctness | Pass | Scope is limited to webui/package.json and webui/package-lock.json; globals is used by the existing ESLint config and no Torrentarr runtime/parity contracts are touched. |
| Tests | Pass | No behavior change requiring new regression tests; full requested .NET and frontend validation passed. |
| Hygiene | Pass | Two-file dependency bump, no generated SDK junk, temp docs, megabranch, or unrelated code noise. |
| Overlap | Pass | No open duplicate globals PR found. Other open Dependabot webui PRs are for unrelated packages (msw, postcss). |
Why
This is a narrow webui dev-dependency update with matching lockfile changes. The local validation merge against current master was clean, and the dependency remains compatible with the existing TypeScript/Vite/Vitest toolchain. Torrentarr-specific backend/config/database/process-isolation checks are not applicable because the PR does not touch those areas. The required audit file pattern docs/audits/pr-triage-*.md is not present in the checked-out repository/current origin/master, so the known-winner checks from the prompt were used; none apply to this dependency bump.
Overlap
None.
Commands run
git fetch origin mastergit fetch origin dependabot/npm_and_yarn/webui/globals-17.7.0(remote branch ref unavailable after merge)gh pr view 331 --repo Feramance/Torrentarr --json ...git fetch origin pull/331/head:refs/remotes/origin/pr/331git checkout -B pr-validate 36fc03e3de152881118e3e3650e2a8dd88f71523git merge origin/masterdotnet restore(initial attempt showeddotnetmissing; installed temporary .NET 10 SDK)dotnet restoredotnet build -c Releasedotnet test -c Release --no-build --filter "Category!=Live"cd webui && npm cicd webui && npx vitest runcd webui && npm run buildgh pr list --repo Feramance/Torrentarr --state open --search "globals" --json ...
Sent by Cursor Automation: Torrentarr PR validation triage


Bumps globals from 17.6.0 to 17.7.0.
Release notes
Sourced from globals's releases.
Commits
a19670c17.7.09611620Update actions (#346)33b75f9Update globals (2026-06-22) (#345)887dd52Fix build script (#344)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)