build(deps-dev): bump web-ext from 10.0.0 to 10.1.0 by dependabot[bot] · Pull Request #2605 · duckduckgo/content-scope-scripts

dependabot · 2026-04-06T10:57:09Z

Bumps web-ext from 10.0.0 to 10.1.0.

Release notes

10.1.0 (2026-03-31)

main changes

None

dependencies

Updated: dependency addons-linter to 10.3.0 (#3673)

Updated: dependency @babel/runtime to 7.29.2 (#3660)

dev dependencies

Updated: dependency @babel/preset-env to 7.29.2 (#3661)

Updated: dependency @commitlint/cli to 20.5.0 (#3657)

Updated: dependency @commitlint/config-conventional to 20.5.0 (#3658)

Updated: dependency brace-expansion to 1.1.13 (#3671)

Updated: dependency flatted to 3.4.1 (#3656)

Updated: dependency flatted to 3.4.2 (#3665)

Updated: dependency node-forge to 1.4.0 (#3670)

Updated: dependency picomatch (#3669)

Updated: dependency sinon to 21.0.3 (#3659)

Updated: dependency undici to 7.24.1 (#3655)

Commits

5e9b089 10.1.0
4387494 chore(deps): bump addons-linter from 10.2.0 to 10.3.0 (#3673)
63c2bc7 chore(audit): update npm audit ignore list (#3672)
a9d767d chore(deps): bump brace-expansion from 1.1.12 to 1.1.13 (#3671)
d29aaa7 chore(deps): bump node-forge from 1.3.2 to 1.4.0 (#3670)
73dd5f8 chore(deps): bump picomatch (#3669)
664b23c chore(deps): bump addons-linter from 10.1.0 to 10.2.0 (#3668)
67efc41 chore(deps): bump flatted from 3.4.1 to 3.4.2 (#3665)
308b344 chore(deps-dev): bump @babel/preset-env from 7.29.0 to 7.29.2 (#3661)
aa0333e chore(deps): bump @babel/runtime from 7.28.6 to 7.29.2 (#3660)
Additional commits viewable in compare view

Note

Low Risk
Low risk dev-tooling update; only web-ext and its lockfile-resolved transitive dependencies change, with no production code impact.

Overview
Updates the dev dependency web-ext from 10.0.0 to 10.1.0.

Regenerates package-lock.json to reflect updated transitive tooling deps (notably addons-linter, @babel/runtime, @mdn/browser-compat-data, and eslint).

^{Reviewed by Cursor Bugbot for commit b3b2018. Bugbot is set up for automated code reviews on this repo. Configure here.}

github-actions · 2026-04-06T10:57:21Z

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

github-actions · 2026-04-06T10:58:08Z

Build Branch


Branch	`pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0`
Commit	`96e22796b1`
Updated	April 13, 2026 at 1:10:01 PM UTC

Static preview entry points

Docs: docs/index.html
Static pages: build/integration/pages/index.html
Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#96e22796b1dccefb2e8d5b34cd75d43e0ebac464

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "96e22796b1dccefb2e8d5b34cd75d43e0ebac464")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/web-ext-10.1.0
git -C submodules/content-scope-scripts checkout 96e22796b1dccefb2e8d5b34cd75d43e0ebac464

cursor

Stale comment

Web Compatibility Assessment

File: injected/package.json | Line range: 57 | Severity: info | Change is a devDependency version bump (web-ext ^10.0.0 -> ^10.1.0) with no injected runtime source changes, no API override/shim changes, and no browser-surface contract impact.

File: package-lock.json | Line range: 59-67, 10219-10239 | Severity: info | Lockfile updates align with the web-ext upgrade and transitive toolchain packages only; no modifications to injected feature code, wrapper utilities, messaging bridge, or platform entrypoint behavior.

File: package-lock.json | Line range: 10884-10890 | Severity: warning | Unrelated lockfile churn appears (@duckduckgo/design-tokens spec string normalized from commit hash form to tag form). Runtime compatibility impact is nil, but this widens review surface and can hide unrelated drift in dependency PRs.

Security Assessment

File: injected/package.json | Line range: 57 | Severity: info | Updated package is dev-only (web-ext) and not executed in page context; no new exposure in hostile page runtime.

File: package-lock.json | Line range: 172-2497, 10219-10239 | Severity: info | Transitive updates are confined to tooling/linting paths (addons-linter, addons-scanner-utils, eslint stack, @babel/runtime used by tooling here). No changes to captured-globals, message transport validation, bridge secrets, origin checks, or load()-time injected logic.

File: package-lock.json | Line range: 10884-10890 | Severity: warning | The unrelated dependency spec rewrite is not an immediate vuln, but minimizing non-target lockfile edits reduces supply-chain review blind spots and audit ambiguity.

Risk Level

Low Risk - This PR is a dev-tool dependency bump with lockfile churn only and does not alter injected JavaScript runtime behavior, compatibility shims, or security-sensitive execution paths.

Recommendations

Keep dependency update PRs tightly scoped: remove unrelated lockfile deltas (notably the @duckduckgo/design-tokens spec rewrite) unless intentionally included.

Add/confirm CI guardrails for dependency-only PRs: run npm run test-unit and extension packaging smoke checks using web-ext commands used in this repo.

For future dependency bump PRs, include a short changelog note for major transitive jumps (e.g., addons-scanner-utils 13 -> 15) to speed security triage.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Findings (ordered by severity)

Medium – Unrelated lockfile mutation weakens pinning scope

package-lock.json includes a change unrelated to web-ext (@duckduckgo/design-tokens spec changed from a commit SHA to a tag ref).

This broadens the PR surface beyond the stated dependency bump and reduces determinism versus an immutable SHA pin.

Recommended fix: revert that lockfile hunk (or regenerate lockfile in a way that only touches injected/web-ext resolution).

Low – No automated coverage for the only web-ext consumer path

In this repo, web-ext is only referenced by injected/scripts/run-fake-extension.js via npm run fake-extension.

CI workflows run unit/integration/lint, but do not invoke fake-extension/web-ext.

Risk: regressions in web-ext/addons-linter behavior are unlikely to be caught pre-merge.

Validation needed: run a smoke check for this path before merge (local or CI).

Changelog-based impact reviewed

web-ext 10.0.0 -> 10.1.0: primarily dependency updates (@babel/runtime to 7.29.2, addons-linter to 10.3.0).

addons-linter 10.1.0 -> 10.3.0: pulls addons-scanner-utils 13.1.0 -> 15.0.0 and related dependency updates.

Given local usage is web-ext run (not web-ext lint), expected runtime impact is low, but currently untested in CI.

Dependency necessity / alternatives

web-ext appears to be needed only for the manual fake-extension helper. If reducing supply-chain and lockfile churn is desired, an alternative is replacing this helper with Playwright extension-loading workflows already used elsewhere, then dropping the direct web-ext dependency.

_{Sent by Cursor Automation: Review dependabot}

cursor · 2026-04-06T11:03:56Z

      },
      "devDependencies": {
-        "@duckduckgo/design-tokens": "github:duckduckgo/design-tokens#f8bfef66960b94c72d3e6be7c114fa87f9812e2a",
+        "@duckduckgo/design-tokens": "github:duckduckgo/design-tokens#v0.17.0",


This lockfile edit is unrelated to the web-ext bump and also changes pinning style from an immutable commit SHA to a tag ref (#v0.17.0). Could we revert this hunk so the PR remains dependency-scoped and deterministic?

cursor

Stale comment

Web Compatibility Assessment

No findings.

injected/package.json (line 57), severity info: change is limited to devDependencies (web-ext ^10.0.0 -> ^10.1.0), with no modifications to injected feature code, wrappers, shims, message bridge, or platform entry points.

package-lock.json (multiple lockfile ranges including 59-62, 2211-2361, 10219-10231), severity info: transitive updates are build/lint/tooling graph changes (addons-linter, ESLint, @babel/runtime under web-ext) and do not alter browser runtime API overrides or DOM behavior in injected/src.

Security Assessment

No findings.

injected/package.json (line 57), severity info: this is a development-time dependency update only; no new content-script messaging, origin validation, bridge secret handling, captured-global usage, or runtime network behavior changes were introduced.

package-lock.json (lockfile-only updates), severity info: no security-sensitive code paths were changed in C-S-S runtime modules (captured-globals, wrapper-utils, utils/DDGProxy, message-bridge, feature implementations).

Risk Level

Low Risk: dependency-only PR affecting dev tooling (web-ext) and lockfile transitive packages, with zero runtime code changes in injected scripts.

Recommendations

Run extension/tooling CI paths that exercise web-ext commands (build/package/sign validation) to catch CLI behavior changes from 10.0.0 to 10.1.0.

Keep lockfile-only dependency updates isolated (as in this PR) to preserve rollback safety if a tooling regression appears.

If CI has any web-ext invocation flags that are sensitive to CLI option parsing, add/retain a smoke test that executes those exact commands in automation.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Web Compatibility Assessment

No direct web-compat findings.

injected/package.json (devDependencies update for web-ext) and package-lock.json only; there are no changes to injected runtime code paths (injected/src/features/*, wrapper-utils, DDGProxy, entry points, or platform support maps).

No API override/shim surface changed (wrapMethod, wrapProperty, shimInterface, wrapToString untouched), so no new risk to descriptor fidelity, toString() masking, instanceof, or return-contract behavior.

Security Assessment

No direct security findings in injected runtime.

No changes to trust-boundary components (captured-globals, message bridge, transport origin checks, stack-trace exemptions, config gate logic).

Dependency delta is restricted to dev tooling (web-ext and transitive linter/runtime packages in lockfile), so hostile-page attack surface in shipped content scripts is unchanged.

Risk Level

Low Risk — this is a dev-tooling dependency bump with lockfile churn only, and it does not modify injected script logic, browser API shims, or messaging/security-sensitive runtime code.

Recommendations

Run a focused extension-tooling smoke test in CI/local (web-ext lint or equivalent packaging/lint step) to validate the addons-linter transitive jump (10.1.0 → 10.3.0) does not introduce release pipeline regressions.

Keep lockfile-only PRs scoped as done here; avoid coupling them with runtime injected feature changes so compatibility/security review remains isolated and low-noise.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Dependency risk review for web-ext 10.0.0 -> 10.1.0.

Confirmed findings

Coverage gap for the only in-repo runtime usage
web-ext is only invoked by injected/scripts/run-fake-extension.js (via npm run fake-extension in injected/package.json), but CI workflows in .github/workflows run unit/integration Playwright suites and do not execute this script. That means regressions in web-ext run behavior are not currently caught pre-merge.

Transitive behavior changes are larger than the top-level bump suggests
web-ext 10.1.0 release notes list no direct feature changes, but it pulls addons-linter 10.3.0, which in turn pulls addons-scanner-utils 15.0.0.
addons-scanner-utils 14.0.0/15.0.0 release notes include auth-layer changes (notably dropping Bearer-token support) and API surface changes. Even if likely low impact for this repo, this is a real semantic shift in transitive code, not just patch-level churn.

Uncertain concerns (assumptions + required validation)

Potential local workflow breakage outside CI scope
Assumption: some engineers may use web-ext lint/scanner-related flows locally (or in downstream automation), not just web-ext run.
Risk: transitive auth/API changes in addons-scanner-utils could alter those paths.
Validation needed: run a smoke check covering web-ext run and web-ext lint against injected/integration-test/extension in CI or a dedicated canary job.

Dependency necessity / alternatives

web-ext appears to be used only for a local/dev helper script. Consider whether this dependency is still required in-repo versus:

replacing with Playwright extension-loading primitives for local debugging, or

moving web-ext usage to an optional external tooling repo/script if no CI path depends on it.

Suggested follow-up (separate PR)

Create a small hardening PR that adds a non-blocking smoke check job for npm run fake-extension (or at least npx web-ext run --help plus a minimal web-ext lint invocation) so future dependency bumps are verified by automation.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Web Compatibility Assessment

injected/package.json (line range ~57-61), info: web-ext is a dev-only tooling dependency bump (^10.0.0 -> ^10.1.0) and does not modify injected feature code paths, wrapper utilities, API shims, or runtime platform entry behavior.

package-lock.json (line ranges ~59-62, ~10219-10235, plus transitive update hunks), info: lockfile-only transitive changes (addons-linter, @babel/runtime, @eslint/js, @mdn/browser-compat-data, etc.) affect local/CI tooling resolution, not browser-page runtime behavior; no direct API-surface fidelity or prototype-chain regression vector introduced in injected scripts.

Security Assessment

injected/package.json (line range ~57-61), info: no changes to captured-globals, message bridge, transport origin checks, DDGProxy, or feature initialization lifecycle; no new attack surface in hostile page context.

package-lock.json (transitive dependency hunks), warning: this is still a supply-chain update to development tooling. While not runtime in page context, it changes the code executed in developer/CI environments (e.g., web-ext/addons-linter toolchain). No direct C-S-S content-script vulnerability identified in this diff.

Risk Level

Low Risk — dependency-only PR touching dev tooling manifests/lockfile, with no modifications to injected runtime JavaScript, wrapper/shim machinery, messaging boundary checks, or security-critical initialization paths.

Recommendations

Run extension packaging/linting CI paths that invoke web-ext to confirm no behavioral change in build/sign/lint workflows from 10.1.0 and updated addons-linter transitive set.

Keep this update isolated to tooling (as done here) and avoid coupling with runtime feature edits, so rollback remains straightforward if CI tool behavior changes.

If desired, add/retain a CI smoke step that exercises the web-ext command path used by release workflows to detect future toolchain regressions early.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Findings

Low: web-ext upgrade path is not CI-covered in this repo
Evidence: the bumped dependency is only wired through injected/package.json and used by injected/scripts/run-fake-extension.js; there are no web-ext/fake-extension invocations in .github/workflows.
Risk: regressions in web-ext@10.1.0 behavior (CLI flags, Chromium launch behavior, local dev execution) would not be caught before merge.

Uncertain Concerns (assumptions stated)

web-ext@10.1.0 pulls addons-linter@10.3.0 -> addons-scanner-utils@15.0.0, whose upstream release notes include "drop support for Bearer token based authentication".
Assumption: this repo appears to use only web-ext run (not web-ext sign/auth flows), so impact is likely none here.
Validation needed: confirm no external/internal tooling around this repo relies on web-ext auth-related commands with Bearer tokens.

Changelog Impact Summary

web-ext@10.1.0: upstream reports no main functional changes, dependency-only release.

Transitives updated in lockfile are limited to @babel/runtime, addons-linter, addons-scanner-utils, @mdn/browser-compat-data, and nested ESLint bits.

Dependency Necessity / Better Practice

web-ext appears to be retained for local extension-run tooling (npm run fake-extension).

Alternative for a follow-up separate PR: add a lightweight smoke check for this path (or migrate this helper to Playwright-native extension loading) so dependency bumps are automatically validated.

No blocking issue found for this PR based on current in-repo usage.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Web Compatibility Assessment

injected/package.json (47-60) — info: Only a devDependency version bump (web-ext ^10.0.0 → ^10.1.0). No changes to injected runtime features, wrappers, shims, or platform entry points; no direct web-compat regression surface in page-executed code.

package-lock.json (59-67, 10219-10230) — info: Lockfile reflects the same web-ext upgrade and expected transitive dependency refresh. No changes to browser API override paths (wrapper-utils, DDGProxy, feature code), so API surface fidelity/prototype-chain risks are unchanged.

package-lock.json (2211-2497) — warning: Transitive tooling stack changed beyond a single patch bump (addons-linter 10.1.0 → 10.3.0, addons-scanner-utils 13.1.0 → 15.0.0, nested eslint updates). This is still dev-tooling-only, but it can alter extension build/lint behavior and should be validated with packaging/lint smoke tests.

Security Assessment

injected/package.json (47-60) — info: No changes to hostile-page runtime execution paths, captured globals usage, or message transport code.

package-lock.json (172-2497, 10219-10230) — info: Dependency integrity hashes are updated consistently for new tarballs; no evidence of lockfile tampering pattern (e.g., mismatched version/resolved/integrity).

package-lock.json (2211-2497) — warning: Supply-chain surface changed in dev tooling transitive graph. Not a direct runtime vulnerability in injected scripts, but CI/build trust boundary changed and merits standard dependency audit and CI verification.

Risk Level

Low Risk — PR does not modify injected runtime/security-sensitive code paths; impact is limited to dev tooling (web-ext) and transitive lockfile updates.

Recommendations

Run extension tooling smoke checks that exercise web-ext usage paths (build/sign/lint commands used in CI/release automation).

Run dependency audit scoped to changed packages (web-ext, addons-linter, addons-scanner-utils) to confirm no newly introduced advisories.

If reproducibility is critical, keep Dependabot lockfile-only churn limited to packages pulled by web-ext and avoid unrelated refresh in the same PR.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Findings

Medium – No automated coverage for the only affected execution path (web-ext usage).

Evidence in this PR: web-ext is only referenced in injected/scripts/run-fake-extension.js and as the injected/package.json devDependency.

Evidence in repo CI config: no .github/workflows job references fake-extension, run-fake-extension, or web-ext.

Risk: this bump is effectively untested in CI, so a CLI behavior change in web-ext/transitives could silently break the manual extension workflow (or change local security posture) without being caught.

Confirmed low-risk context

Upstream web-ext 10.1.0 release notes report no main changes, only dependency updates (addons-linter 10.3.0, @babel/runtime 7.29.2).

This remains a devDependency in injected, so there is no direct production runtime impact from this diff.

Uncertain concerns (need validation)

addons-linter moved to 10.3.0 and pulls addons-scanner-utils 15.0.0 (major transitive jump from 13.1.0). No direct break is visible here, but because the web-ext path is not CI-covered, compatibility changes would only surface during manual fake-extension use.

Suggested follow-up (separate PR, not this one)

Add a lightweight CI smoke check for tooling integrity, e.g. run web-ext --version (or equivalent non-interactive invocation) in the injected workspace.

If fake-extension remains important, add a small automated test around command construction/launch assumptions in run-fake-extension.js.

Alternative: if this workflow is no longer needed, remove fake-extension + web-ext to reduce supply-chain surface.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Dependency risk review for web-ext 10.0.0 -> 10.1.0.

Confirmed concerns

Coverage gap for this dependency path (medium): this repo does not currently exercise web-ext in CI. The dependency is only used by injected/scripts/run-fake-extension.js (npx web-ext run), and current workflow jobs run unit/integration/build/lint but do not invoke fake-extension or web-ext directly. That means regressions from this bump can merge without execution coverage.

Large transitive surface under a minor bump (low-medium): web-ext 10.1.0 release notes say “main changes: none”, but it upgrades addons-linter to 10.3.0, which upgrades addons-scanner-utils to 15.0.0 (major). This is a meaningful transitive change even though the direct bump is minor.

Uncertain concerns (need validation)

addons-scanner-utils 15.0.0 includes behavioral changes (not just patching), e.g. dropped Bearer token auth support and explicit export changes. It is unclear whether these codepaths are reached by our web-ext run usage; if they are, behavior could differ in local extension test flows.

Changelog evidence used

web-ext 10.1.0: https://github.com/mozilla/web-ext/releases/tag/10.1.0

web-ext compare 10.0.0...10.1.0: mozilla/web-ext@10.0.0...10.1.0

addons-linter release stream (10.3.0 dependency updates): https://github.com/mozilla/addons-linter/releases

addons-linter bump PR to 10.3.0 (includes scanner-utils 15.0.0 note): mozilla/web-ext#3673

addons-scanner-utils release notes (15.0.0 changes): https://github.com/mozilla/addons-scanner-utils/releases

Separate fix PR drafted

Opened follow-up PR with a targeted CI smoke check so this dependency path is covered on future bumps:

#2630

Change: add npm exec -w injected web-ext -- --version to injected unit-test matrix job.

Dependency necessity note

web-ext currently appears to be dev-only and used only for fake-extension flows. Alternative approach if we want to reduce toolchain risk: replace this path with Playwright persistent-context extension loading and remove the web-ext dependency entirely. I did not propose that change here because it is more invasive.

View PR

_{Sent by Cursor Automation: Review dependabot}

Bumps [web-ext](https://github.com/mozilla/web-ext) from 10.0.0 to 10.1.0. - [Release notes](https://github.com/mozilla/web-ext/releases) - [Commits](mozilla/web-ext@10.0.0...10.1.0) --- updated-dependencies: - dependency-name: web-ext dependency-version: 10.1.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

cursor

Web Compatibility Assessment

injected/package.json (line range around dependency entry for web-ext), severity: info:
The change is a devDependency bump (web-ext ^10.0.0 -> ^10.1.0) and does not modify injected runtime code paths (injected/src/features, wrapper utilities, messaging bridge, or platform entry-point behavior). No API surface fidelity, descriptor, prototype-chain, or DOM interaction regressions are introduced by this diff itself.
package-lock.json (line ranges around node_modules/web-ext and its transitive subtree), severity: info:
Lockfile updates are limited to build-time/tooling transitive packages (@babel/runtime, addons-linter, addons-scanner-utils, eslint-related deps) under the web-ext dependency graph. No browser-executed C-S-S logic changed, so no site-compat behavior delta is observable from this patch alone.

Security Assessment

injected/package.json + package-lock.json (same ranges), severity: info:
No changes to security-sensitive runtime components: captured-globals, wrapper-utils, DDGProxy, message-bridge secret/origin checks, transport validation, or any injected feature implementation. Threat-model vectors (prototype tamper resilience, bridge spoofing, postMessage origin control, config gating) are unaffected by this PR.
package-lock.json (transitive dependency churn under web-ext), severity: info:
Security impact is constrained to developer tooling execution context (local/CI) rather than page runtime context. I do not see a new in-browser exploit surface introduced by the changed files.

Risk Level

Low Risk — the PR is a dev-tool dependency update only, with no modifications to injected page runtime logic or security boundaries.

Recommendations

info: Keep CI checks that exercise extension tooling paths (e.g., build/lint/pack steps using web-ext) to catch workflow regressions from CLI/transitive dependency behavior changes.
info: If not already covered in this repo’s pipeline, run a quick extension packaging/smoke command on this branch to validate no output-format or command-flag regressions in web-ext 10.1.0.
info: No additional web-compat/security runtime tests are required for this diff specifically, since no injected runtime code changed.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Findings

No blocking privacy/security regressions are confirmed from this dependency bump.

Evidence

The PR diff only changes web-ext from ^10.0.0 to ^10.1.0 in injected/package.json, plus lockfile updates.
Upstream web-ext 10.1.0 release notes report no main behavior changes, only dependency updates (notably addons-linter 10.3.0 and @babel/runtime 7.29.2).
Repository usage shows web-ext is invoked only in injected/scripts/run-fake-extension.js via web-ext run; there is no local usage of web-ext lint/sign/build.

Uncertain Concerns (non-blocking)

Lockfile transitive changes include addons-linter 10.3.0 and addons-scanner-utils 15.0.0 (with peer dependency metadata changes). Those paths are typically exercised by web-ext lint, which does not appear to be covered by this repo’s tests.
Assumption: current workflows depend on web-ext run only.
Required validation: smoke-run npm run fake-extension on at least one CI/Linux environment after merge.
Dependency necessity: web-ext currently appears tied to the fake-extension developer workflow only.
Assumption: that workflow is still intentionally supported.
Alternative (separate hardening PR): if this workflow is no longer required, remove web-ext and injected/scripts/run-fake-extension.js to reduce supply-chain surface.

Separate PR

No separate fix PR was drafted because this review did not identify a confirmed blocking issue in this update.

_{Sent by Cursor Automation: Review dependabot}

dependabot bot added dependencies Update one or more dependencies version minor Increment the minor version when merged labels Apr 6, 2026

dependabot bot requested a review from a team as a code owner April 6, 2026 10:57

dependabot bot added dependencies Update one or more dependencies version minor Increment the minor version when merged labels Apr 6, 2026

github-actions bot added the semver-patch Bug fix / internal — no release needed label Apr 6, 2026

cursor bot reviewed Apr 6, 2026

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/main/web-ext-10.1.0 branch from f3c1be9 to c8642df Compare April 13, 2026 12:52