Skip to content

chore(deps): update dependency jsdom to v29 #642

chore(deps): update dependency jsdom to v29

chore(deps): update dependency jsdom to v29 #642

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# OpenSSF Scorecard "Token-Permissions": top-level grants no scopes
# (`permissions: {}` is stricter than `read-all`), so every job MUST
# re-declare the minimum scope it needs — including read access.
permissions: {}
jobs:
lint:
name: Lint & Format
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm lint
- run: pnpm format:check
typecheck:
name: Typecheck
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter tailwindcss-obfuscator typecheck
test:
name: Test (Node ${{ matrix.node }})
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node: [20, 22]
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node }}
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter tailwindcss-obfuscator build
- run: pnpm --filter tailwindcss-obfuscator test
build:
name: Build Package
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter tailwindcss-obfuscator build
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: dist
path: packages/tailwindcss-obfuscator/dist
retention-days: 7
dependency-review:
# Pull-request-only gate. Reads the diff of pnpm-lock.yaml against
# the merge base and refuses any PR that introduces a NEW dep with
# a known advisory of severity moderate-or-higher. Complements the
# `audit` job below : audit runs on the resolved tree at any time ;
# dep-review runs only on the diff and is much faster + more
# targeted (catches the introduction, not the steady state).
#
# OSSF Scorecard recognises dep-review as a top-tier supply-chain
# control. Cost : ~5 seconds per PR.
name: Dependency review (PR-only)
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4.3.4
with:
fail-on-severity: moderate
# Allow the same MIT/Apache/BSD permissive licenses the project
# already ships ; reject GPL family transitively (would force the
# whole package into GPL on republish).
allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, Unlicense, CC0-1.0, CC-BY-4.0, BlueOak-1.0.0, Python-2.0
comment-summary-in-pr: on-failure
tests-existence:
# Release-safety v2 (2026-04-30) : enforce the "every feature ships
# with tests" rule by failing CI if any src file under
# packages/tailwindcss-obfuscator/src/** has zero test references
# (and is not on the explicit allowlist with a justification).
# See scripts/check-tests-coverage.mjs for the full heuristic.
name: Tests-existence gate
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
- name: Verify every src file is referenced by at least one test
run: node scripts/check-tests-coverage.mjs
audit:
# Belt-and-suspenders: Renovate already opens PRs for vulnerable transitive
# deps and `pnpm.overrides` patches them on the spot, but we also want a
# blocking CI gate so that any PR which would re-introduce a high/critical
# advisory cannot land. Threshold matches the project security rule in
# CLAUDE.md ("Never ship a PR that increases the audit count").
name: Dependency audit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: pnpm audit (high+critical fail the build)
run: pnpm audit --audit-level=high
tarball-smoke:
# 2026 release-safety guarantee #1: pack the package exactly as it would
# be uploaded to npm, install it into a fresh `node_modules`, and verify
# that EVERY entry of `package.json#exports` (./vite, ./webpack, ./rollup,
# ./esbuild, ./rspack, ./farm, ./nuxt, ./internals, ./cli, root) resolves
# cleanly via both ESM (import) and CJS (require). Also runs the published
# CLI binary `tw-obfuscator --version` to ensure the bin entry is wired.
#
# Catches: missing dist/ files, exports map drift, broken bin path, dual-
# package-hazard regressions. Without this job, those bugs only surface
# at first install on a downstream consumer's machine.
name: Tarball smoke test (every exports entry, ESM + CJS)
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: Run tarball smoke test
run: bash .github/scripts/test-tarball.sh
coverage:
# Coverage reporting (release-safety nice-to-have) — runs the unit tests
# with v8 coverage instrumentation and uploads the lcov.info to Codecov.
# NOT a blocking gate (no minimum-coverage threshold enforced here, since
# the repo intentionally excludes plugin adapters / CLI bin from the
# numerator — those are exercised by verify-obfuscation.mjs + tarball
# smoke tests, not unit tests). The number is purely informational and
# surfaced as a Codecov badge in the README.
name: Coverage report
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: Run vitest with v8 coverage
run: pnpm --filter tailwindcss-obfuscator exec vitest run --coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
files: packages/tailwindcss-obfuscator/coverage/lcov.info
flags: unittests
name: tailwindcss-obfuscator
fail_ci_if_error: false
env:
# Codecov public-repo upload — token optional for OSS repos but
# required to silence rate-limit warnings on busy days.
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}