[dependabot-burndown] Security Alert Burndown: Dependabot bundle — Node.js — /actions/setup/js/package.json (2026-01-29) #12547
Description
Context
This issue tracks one Dependabot PR bundle discovered by the Security Alert Burndown campaign.
Bundle
- Runtime: Node.js
- Manifest: /actions/setup/js/package.json
Bundling Rules
- Group work by runtime. Never mix runtimes.
- Group changes by target dependency file (one manifest + its lockfile).
- Patch/minor updates may be bundled; major updates should be isolated unless tightly coupled.
- Bundled releases must include a research report (packages, versions, breaking changes, migration, risk, tests).
PRs in Bundle
- Bump @vitest/coverage-v8 from 4.0.17 to 4.0.18 in /actions/setup/js #12017 - Bump
@vitest/coverage-v8from 4.0.17 to 4.0.18 in /actions/setup/js (4.0.17 → 4.0.18) - Bump @types/node from 25.0.9 to 25.0.10 in /actions/setup/js #12016 - Bump
@types/nodefrom 25.0.9 to 25.0.10 in /actions/setup/js (25.0.9 → 25.0.10) - Bump prettier from 3.8.0 to 3.8.1 in /actions/setup/js #12014 - Bump prettier from 3.8.0 to 3.8.1 in /actions/setup/js (3.8.0 → 3.8.1)
- Bump @actions/github from 7.0.0 to 8.0.0 in /actions/setup/js #12012 - Bump
@actions/githubfrom 7.0.0 to 8.0.0 in /actions/setup/js (7.0.0 → 8.0.0) - Bump @vitest/ui from 4.0.17 to 4.0.18 in /actions/setup/js #12011 - Bump
@vitest/uifrom 4.0.17 to 4.0.18 in /actions/setup/js (4.0.17 → 4.0.18)
Agent Task
- Research each update for breaking changes and summarize risks.
- Create a single bundled PR (one runtime + one manifest) with title prefix "[dependabot-burndown]".
- Ensure CI passes; run relevant runtime tests.
- Add the research report to the bundled PR.
- Update this issue checklist as PRs are merged.
AI generated by Dependabot Burner Campaign