build(deps): update development dependencies and tooling

[repowarden-app]

Summary

This PR updates 8 development dependencies including build tools, testing libraries, type definitions, and the Plyr peer dependency. Notable updates include TypeScript 5.0.4 → 5.9.3, @swc/core 1.3.42 → 1.15.30, and plyr 3.7.7 → 3.8.4.

Updates

Build & Tooling

• @swc/core: 1.3.42 → 1.15.30 (minor)
• @swc/jest: 0.2.24 → 0.2.39 (patch)
• tsdown: 0.2.0 → 0.21.9 (minor)
• typescript: 5.0.4 → 5.9.3 (minor)
• typescript-eslint: 8.41.0 → 8.58.2 (minor)

Testing & Types

• @testing-library/jest-dom: 5.16.5 → 5.17.0 (minor)
• @types/react: 18.0.28 → 18.3.28 (patch)

Dependencies

• plyr: 3.7.7 → 3.8.4 (minor)

Risk Assessment

Medium Risk 🟡

• Multiple minor version bumps across build tooling (@swc, tsdown, TypeScript)
• TypeScript upgrade may require minor type adjustments
• Plyr update (peer dependency) may affect consuming applications
• typescript-eslint update may introduce new lint rules
• As this is a library, changes need validation across all target Node.js versions

Required Actions

• Review tsconfig.json for compatibility with TypeScript 5.9.3
• Check if new typescript-eslint rules need configuration adjustments
• Verify Plyr 3.8.4 compatibility and update peer dependency range in package.json if needed
• Review release notes for breaking changes:
  • TypeScript 5.1-5.9
  • Plyr 3.8.x

Testing Recommendations

As this is a library, thorough testing is required:

• Run full test suite: npm test
• Verify builds successfully: npm run build
• Test against all target Node.js LTS versions: 18, 20, 22
• Lint codebase: npm run lint
• Type-check passes: npx tsc --noEmit
• Test in a consuming React application to verify Plyr integration
• Verify package exports and TypeScript types work for consumers

Related PRs

After merging this PR, the following Dependabot PRs can likely be closed as superseded:

• build(deps-dev): bump prettier from 3.6.2 to 3.7.4 #1238: build(deps-dev): bump prettier from 3.6.2 to 3.7.4
• build(deps-dev): bump eslint from 9.34.0 to 9.39.2 #1237: build(deps-dev): bump eslint from 9.34.0 to 9.39.2
• build(deps): bump the npm_and_yarn group across 1 directory with 5 updates #1254, build(deps): bump the npm_and_yarn group across 1 directory with 5 updates #1260: build(deps): bump the npm_and_yarn group

The GitHub Actions updates (#1258, #1257, #1256, #1246, #1232) should be handled separately.

---

🤖 Generated by RepoWarden

Available Commands

Comment on this PR with any of the following:

• @repowarden rebase — Rebase this PR onto the base branch
• @repowarden fix-tests — Analyze CI failures and push a fix
• @repowarden resolve-comments — Address review feedback and push updates

RepoWarden Checklist

• Dependencies updated
• Lock file regenerated
• CI passing
• Ready to merge

---

Security Vulnerabilities Resolved

• 🟡 brace-expansion: Fix available: yes — severity: moderate
• 🔴 defu: Fix available: yes — severity: high
• 🔴 minimatch: Fix available: yes — severity: high
• 🔴 picomatch: Fix available: yes — severity: high

New Vulnerabilities Introduced

Warning: The following new vulnerabilities were detected after upgrading:

• brace-expansion: Fix available: yes — severity: moderate
• minimatch: Fix available: yes — severity: high
• picomatch: Fix available: yes — severity: high

Remaining vulnerabilities: 17

---

Supply Chain Safety Report

Skipped (unsafe):

• @swc/core@1.15.30 (npm)
  • ⚠️ Package has postinstall script(s) that run during installation.
  • ⚠️ Package name "@swc/core" is very similar to popular package "cors" (edit distance: 1). Verify this is the intended package.

Warnings (upgraded with caution):

• @swc/jest@0.2.39 (npm)
  • ⚠️ Package name "@swc/jest" is very similar to popular package "next" (edit distance: 2). Verify this is the intended package.

---

Supply chain safety: The following packages were skipped due to safety concerns:

• @swc/core@1.15.30: Package has postinstall script(s) that run during installation.; Package name "@swc/core" is very similar to popular package "cors" (edit distance: 1). Verify this is the intended package.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​8.41.0 ⏵ 8.58.2	+1		+1
	typescript-eslint@​8.41.0 ⏵ 8.58.2	+1		+1
	vite@​7.3.0
	@​types/​react@​18.3.24 ⏵ 18.3.28			+1
	@​typescript-eslint/​eslint-plugin@​8.41.0 ⏵ 8.58.2	+1		+1
	plyr@​3.8.4
	react@​19.1.1
	tsdown@​0.2.17 ⏵ 0.21.9	+27		+12	+2
	plyr-react@​6.0.0-1
	typescript@​5.9.2 ⏵ 5.9.3			+1
	react-dom@​19.1.1

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[repowarden-app]

This PR has been open for 14 days without being merged, so I'm closing it.

If there was an issue with these changes, please reply with feedback so I can improve!

— RepoWarden

[repowarden-app]

Thanks for reviewing this PR! Since it was closed without merging, I'd love to understand what went wrong so I can improve.

Please reply to this comment with any feedback — for example:

• Were the changes incorrect?
• Was the PR unnecessary?
• Did it miss something important?

Your feedback helps RepoWarden get better. 🙏

— RepoWarden