Skip to content

Comments

chore(deps): update dependency vue to v3.5.27#496

Merged
cbcoutinho merged 1 commit intomasterfrom
renovate/vue-monorepo
Jan 28, 2026
Merged

chore(deps): update dependency vue to v3.5.27#496
cbcoutinho merged 1 commit intomasterfrom
renovate/vue-monorepo

Conversation

@renovate-bot-cbcoutinho
Copy link
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vue (source) 3.5.263.5.27 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

vuejs/core (vue)

v3.5.27

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-bot-cbcoutinho renovate-bot-cbcoutinho bot force-pushed the renovate/vue-monorepo branch 2 times, most recently from ef9d566 to 217ad45 Compare January 27, 2026 11:07
@claude
Copy link

claude bot commented Jan 27, 2026

PR Review: Update Vue.js dependency to v3.5.27

Summary

This is an automated dependency update from Renovate Bot upgrading Vue.js from 3.5.26 to 3.5.27 in the Astrolabe third-party component. The update is a patch release with bug fixes only.


Code Quality ✅

Strengths:

  • Clean dependency update with proper lockfile regeneration
  • Follows semantic versioning (patch release)
  • Removes unused pdfjs-dist dependency and related @napi-rs/canvas optional dependencies (190+ lines removed)

Observations:

  • The package-lock.json version bump from 0.8.3 to 0.9.0 suggests this may be part of a larger Astrolabe release
  • Vue dependency constraint remains ^3.0.0 in package.json, which is appropriate

Bug Fixes Included 🐛

According to the Vue 3.5.27 changelog, this release includes:

  1. compile-sfc: Fix variable shadowing in for loops with defineProps destructuring (#14296)
  2. compiler-sfc: Handle indexed access types in declare global blocks (#14260)
  3. compiler-sfc: Use correct scope when resolving indexed access types from external files (#14297)
  4. reactivity: Collection iteration should inherit iterator instance methods (#12644)
  5. runtime-core: Skip patching reserved props for custom elements (#14275)
  6. server-renderer: Use ssrRenderClass helper for className attribute (#14327)
  7. ssr: Handle v-bind modifiers during render attrs (#14263)

These are all bug fixes with no breaking changes.


Performance Considerations ⚡

Positive:

  • Removal of pdfjs-dist and @napi-rs/canvas reduces the dependency tree significantly
  • Smaller lockfile (reduced by 248 lines, added only 58 lines = net -190 lines)
  • No new dependencies or performance regressions expected from patch release

Neutral:

  • Vue patch releases typically have minimal performance impact
  • The entities sub-dependency was updated from 7.0.0 to 7.0.1 (minor patch)

Security Concerns 🔒

Low Risk:

  • Patch version updates from a trusted, well-maintained framework (Vue.js)
  • No CVEs or security advisories mentioned in the release notes
  • Renovate Bot provides merge confidence indicators (visible in PR description)

Recommendation:

  • Review the merge confidence badges in the PR description
  • Consider enabling auto-merge for patch-level Vue updates if not already configured

Test Coverage 🧪

Concerns:

  • ⚠️ No test changes included - This is expected for a dependency update, but manual testing is recommended
  • The removal of pdfjs-dist suggests functionality may have been removed from Astrolabe - verify this was intentional

Recommendations:

  1. Run Astrolabe's test suite to ensure compatibility:

    cd third_party/astrolabe
    npm run lint
    npm run build
  2. Manual verification: If Astrolabe is used in integration tests, run relevant test suites:

    # From project root
    uv run pytest -m integration -v
  3. Verify pdfjs-dist removal: Check if PDF viewing functionality in Astrolabe was intentionally removed or moved elsewhere


Additional Notes 📝

Version Alignment:

  • The package.json constraint (vue: ^3.0.0) allows this update
  • All Vue sub-packages are updated in lockstep to 3.5.27 (correct pattern)
  • The @vue/server-renderer peer dependency correctly specifies vue@3.5.27

pdfjs-dist Removal:

  • This dependency was completely removed from package-lock.json
  • Verify this aligns with Astrolabe's functionality requirements
  • If PDF support is still needed, it may have been moved to a different implementation

Verdict 🎯

Recommendation: APPROVE with verification

This is a low-risk dependency update that includes useful bug fixes. The changes are appropriate, but:

  1. Approve the PR - The update itself is safe
  2. ⚠️ Before merging: Run Astrolabe build/lint to confirm compatibility
  3. ⚠️ Before merging: Verify pdfjs-dist removal was intentional
  4. After merging: Monitor for any runtime issues in Astrolabe functionality

Suggested Actions

# Verify the build works
cd third_party/astrolabe
npm run lint
npm run build

# If successful, merge
gh pr merge 496 --squash

Review completed by Claude Code

@claude
Copy link

claude bot commented Jan 28, 2026

Pull Request Review: Vue.js 3.5.26 → 3.5.27 Update

Summary

This is an automated dependency update by Renovate Bot upgrading Vue.js from version 3.5.26 to 3.5.27 in the Astrolabe Nextcloud app. The changes are limited to the package-lock.json file within the third_party/astrolabe/ directory.


Code Quality: ✅ Excellent

Positive Aspects:

  • Clean, focused dependency update with no manual code changes
  • Automated tooling (Renovate) ensures consistency
  • Lock file properly regenerated with all transitive dependencies updated

Observations:

  • The update includes all Vue.js ecosystem packages (@vue/compiler-core, @vue/compiler-dom, @vue/compiler-sfc, @vue/runtime-core, etc.)
  • Entities dependency updated from 7.0.0 → 7.0.1 (transitive dependency of @vue/compiler-core)
  • Removal of pdfjs-dist and all @napi-rs/canvas packages appears to be unrelated to the Vue update (likely from package.json changes in commit 2648ef2)

Potential Issues: ⚠️ Minor Concerns

  1. Unrelated Dependency Removal:

    • The diff shows removal of pdfjs-dist (4.10.38) and @napi-rs/canvas packages
    • These removals are NOT mentioned in the PR title/description
    • This suggests the lock file was regenerated from a modified package.json that already removed these dependencies
    • Recommendation: Verify this was intentional and not accidental
  2. Package Version Bump:

    • Lock file shows version bump from 0.8.3 → 0.10.0 for astrolabe itself
    • This is a minor version bump that should have its own changelog/release notes
    • Recommendation: Ensure this version bump is intentional and properly documented

Security: ✅ Low Risk

Security Assessment:

  • Vue.js 3.5.27 is a patch release with bug fixes only
  • Official Vue.js release from the vuejs/core repository
  • No security vulnerabilities reported in the changelog
  • All fixes are for compiler edge cases and reactivity behavior

Bug Fixes in 3.5.27:

  • Improved handling of variable shadowing in for loops with defineProps destructuring
  • Fixed indexed access types in TypeScript type resolution
  • Collection iteration now inherits iterator instance methods correctly
  • Custom element reserved props patching improvements
  • SSR className and v-bind modifier handling fixes

Performance: ✅ Neutral to Positive

  • Patch releases typically include performance improvements or bug fixes
  • Compiler fixes (SFC, SSR) may improve build performance
  • No breaking changes or new features that would affect runtime performance
  • The reactivity fix (#12644) may improve iterator performance for collections

Test Coverage: ⚠️ Pending CI Results

Current Status:

  • ✅ ESLint: PASSED
  • ✅ Stylelint: PASSED
  • ✅ Changes detection: PASSED
  • ⏳ Node.js build: IN PROGRESS
  • ⏳ Integration tests: IN PROGRESS

Recommendations:

  1. Wait for all CI checks to complete before merging
  2. Verify the Node.js build succeeds with the new Vue version
  3. Ensure integration tests pass, especially any UI/component tests

Best Practices: ✅ Follows Conventions

Alignment with Project Standards:

  • ✅ Automated dependency management via Renovate
  • ✅ Semantic versioning respected (patch update)
  • ✅ Lock file properly maintained
  • ✅ No manual code changes in automated PR

Vue Version Constraint:

  • Package.json specifies: "vue": "^3.0.0"
  • This allows any 3.x version, so 3.5.27 is within acceptable range
  • Consider tightening to ^3.5.0 if relying on 3.5-specific features

Action Items

Before Merging:

  1. ✅ Verify CI checks complete successfully
  2. ⚠️ Confirm the pdfjs-dist and @napi-rs/canvas removals are intentional
  3. ⚠️ Validate the astrolabe version bump (0.8.3 → 0.10.0) is correct
  4. 📝 Consider testing the Astrolabe UI manually if you have a test Nextcloud instance
  5. 📝 Review the Vue 3.5.27 changelog for any edge cases that might affect your SFC components

Optional Improvements:

  • Consider adding automated visual regression testing for Vue component updates
  • Document which Vue 3.5.x features Astrolabe relies on (for future reference)

Recommendation: ✅ APPROVE (with minor verification)

This is a straightforward patch update with legitimate bug fixes. The main concern is understanding why pdfjs-dist was removed—if that was a deliberate dependency cleanup, this PR is safe to merge once CI passes.

Overall Assessment: Low-risk maintenance update that should be merged after CI validation.


Reviewed by: Claude Code (Automated Review)
Review Date: 2026-01-28

@cbcoutinho cbcoutinho merged commit 25dee9b into master Jan 28, 2026
12 checks passed
@renovate-bot-cbcoutinho renovate-bot-cbcoutinho bot deleted the renovate/vue-monorepo branch January 29, 2026 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant