repo: sweep through Dependabot backlog — bring all deps up to current

[Axelj00]

Problem

Dependabot has been opening PRs for weeks and nothing's been merged. We're sitting on 15 open Dependabot PRs plus a long tail of closed/superseded ones. The backlog includes a couple of risky majors (Vite 6→8, TypeScript 5→6) mixed in with trivial patch bumps that should just go in.

This issue is the umbrella to drive the sweep — group the bumps by risk, merge the safe ones quickly, and decide deliberately on the majors.

Current state

Snapshot of npm outdated:

Package	Current	Latest	Notes
@tauri-apps/api	2.10.1	2.11.0	minor
@tauri-apps/cli	2.10.1	2.11.1	minor
@tauri-apps/plugin-opener (js)	2.5.3	2.5.4	patch
@tauri-apps/plugin-updater	2.10.0	2.10.1	patch
eslint	10.0.3	10.3.0	minor
prettier	3.8.1	3.8.3	patch
typescript	5.9.3	6.0.3	major
typescript-eslint	8.57.0	8.59.2	minor
vite	6.4.1	8.0.11	two majors
vitest	4.1.0	4.1.5	patch

Cargo side (from open PRs — cargo outdated not installed locally):

Crate	From	To	Notes
tauri	2.10.3	2.11.0	minor, paired with JS bumps
tauri-build	2.5.6	2.6.0	minor
tauri-plugin-opener (rs)	2.5.3	2.5.4	patch
libc	0.2.185	0.2.186	patch
sysinfo (Windows)	0.33.1	0.38.4	several majors — Windows-only path
windows (Windows)	0.59.0	0.61.3	minor — Windows-only path
toml	0.8.2	0.9.12	minor — touches config parsing

CI / workflows:

Action	From	To
mozilla-actions/sccache-action	0.0.9	0.0.10
actions/checkout	4	6
actions/setup-node	4	6

Open Dependabot PRs

Bucketed by risk:

Bucket A — patch / safe minor (just merge)

• Bump @tauri-apps/plugin-updater from 2.10.0 to 2.10.1 #414 @tauri-apps/plugin-updater 2.10.0 → 2.10.1
• Bump prettier from 3.8.1 to 3.8.3 #438 prettier 3.8.1 → 3.8.3
• Bump mozilla-actions/sccache-action from 0.0.9 to 0.0.10 #443 mozilla-actions/sccache-action 0.0.9 → 0.0.10
• Bump libc from 0.2.185 to 0.2.186 in /src-tauri #445 libc 0.2.185 → 0.2.186
• Bump vitest from 4.1.0 to 4.1.5 #446 vitest 4.1.0 → 4.1.5
• Bump tauri-plugin-opener from 2.5.3 to 2.5.4 in /src-tauri #448 tauri-plugin-opener (rs) 2.5.3 → 2.5.4
• Bump typescript-eslint from 8.57.0 to 8.59.2 #449 typescript-eslint 8.57.0 → 8.59.1
• Bump @tauri-apps/plugin-opener from 2.5.3 to 2.5.4 #450 @tauri-apps/plugin-opener (js) 2.5.3 → 2.5.4
• Bump eslint from 10.0.3 to 10.3.0 #455 eslint 10.0.3 → 10.3.0

Bucket B — coordinated Tauri bump (merge as a set)

The Tauri JS API, CLI, Rust crate, and tauri-build need to land together to keep the IPC ABI consistent. Don't merge piecemeal.

• Bump tauri-build from 2.5.6 to 2.6.0 in /src-tauri #451 tauri-build 2.5.6 → 2.6.0
• Bump @tauri-apps/api from 2.10.1 to 2.11.0 #452 @tauri-apps/api 2.10.1 → 2.11.0
• Bump @tauri-apps/cli from 2.10.1 to 2.11.1 #453 @tauri-apps/cli 2.10.1 → 2.11.0
• Bump tauri from 2.10.3 to 2.11.0 in /src-tauri #454 tauri 2.10.3 → 2.11.0

Verify after: dev build, prod build, updater handshake, all tauri-plugin-pty IPC paths, traffic-light window controls, OSC handler.

Bucket C — risky majors (decide deliberately, one at a time)

• Bump typescript from 5.9.3 to 6.0.3 #441 typescript 5.9.3 → 6.0.3 — major. Run npx tsc --noEmit clean across all of src/. Check for new strictness around noUncheckedIndexedAccess defaults, verbatimModuleSyntax, etc.
• Bump vite from 6.4.1 to 8.0.11 #447 vite 6.4.1 → 8.0.10 — skips a whole major. v7 dropped Node 18, v8 changed several plugin APIs and the dev-server middleware contract. Prior PRs Bump vite from 6.4.1 to 8.0.3 #279, Bump vite from 6.4.1 to 8.0.9 #440, Bump vite from 6.4.1 to 8.0.8 #425, Bump vite from 6.4.1 to 8.0.1 #231, Bump vite from 6.4.1 to 8.0.0 #86 already attempted this and were closed unmerged — we keep punting it. Need to actually do the migration this time or pin and stop opening the PRs.

Closed / superseded — just for context

Lots of stale Dependabot PRs were closed because newer versions came out before we got to them: #279/#440/#425/#231/#86 (Vite), #424/#280 (vitest), #282 (TS 6.0.2), #413/#439/#232 (eslint), #444/#442/#427/#412/#230 (typescript-eslint), #426 (prettier).

Worth checking before closing this issue — if Dependabot has already opened replacements, fine; if not, we may need to nudge it.

A few were closed without ever being merged but were upgraded by hand (already reflected in package.json): @xterm/xterm 5.5.0 → 6.0.0 (#85), @xterm/addon-fit 0.10.0 → 0.11.0 (#87), @xterm/addon-web-links 0.11.0 → 0.12.0 (#88), toml 0.8.2 → 0.9.12 (#84 — but Cargo.toml still pins 0.8, so the PR's actually still relevant), sysinfo 0.33.1 → 0.38.4 (#228 — Cargo.toml still pins 0.33), windows 0.59.0 → 0.61.3 (#229 — Cargo.toml still pins 0.59), actions/checkout 4 → 6 (#82), actions/setup-node 4 → 6 (#81). These last several are still stale in the lockfile/manifest — re-open or re-bump.

Plan

1. Now — merge Bucket A in one batch. npm run preflight after each, or after the whole batch if green individually.
2. Same session — merge Bucket B as a single coordinated PR or a tight sequence. Smoke-test the full app: launch a tab, split a pane, run a worktree split, kill a process, check for updates, copy/paste, OSC notifications.
3. Separate session per major in Bucket C. Each gets its own PR with notes on what broke and how it was migrated. TypeScript 6 first (lower blast radius), Vite 8 second.
4. Cargo side: revisit Bump toml from 0.8.2 to 0.9.12+spec-1.1.0 in /src-tauri #84 (toml 0.9), Bump sysinfo from 0.33.1 to 0.38.4 in /src-tauri #228 (sysinfo 0.38), Bump windows from 0.59.0 to 0.61.3 in /src-tauri #229 (windows 0.61), Bump actions/setup-node from 4 to 6 #81 (setup-node 6), Bump actions/checkout from 4 to 6 #82 (checkout 6) — these PRs are closed but the manifests still point at the old versions. Either re-open or just open a fresh PR.
5. Set up a recurring expectation: merge the next Dependabot batch within ~2 weeks of it opening so we don't end up here again.

Acceptance

• All Bucket A and B PRs merged or explicitly closed with reason.
• Decision recorded in this issue for each Bucket C major: upgraded, deferred (with a target date), or pinned permanently.
• Cargo.toml versions for toml, sysinfo, windows reviewed and either bumped or explicitly justified at the current pin.
• CI workflows updated to actions/checkout@v6 and actions/setup-node@v6 (or current latest at the time of the sweep).
• npm outdated shows nothing under "latest" except items intentionally pinned, with the reason in a comment.
• No regressions in: dev build, prod build, updater, PTY plugin, custom titlebar / window controls, copy / paste / paste-confirm, search, OSC handlers.

Non-goals

• Re-architecting the build or testing setup.
• Adding new tooling (cargo-outdated, Renovate) — Dependabot already covers it; the problem is the merge cadence, not the visibility.