Skip to content

Remove vendored ICU locale core and update dependencies#64568

Closed
piyyy314 wants to merge 75 commits into
nodejs:mainfrom
piyyy314:main
Closed

Remove vendored ICU locale core and update dependencies#64568
piyyy314 wants to merge 75 commits into
nodejs:mainfrom
piyyy314:main

Conversation

@piyyy314

Copy link
Copy Markdown

No description provided.

piyyy314 and others added 30 commits November 22, 2025 21:27
Delete the vendored icu_locale_core source files under deps/crates/vendor/icu_locale_core (extensions, parser, subtags, helpers, serde, etc.). Also update deps/undici/src/package-lock.json. This cleans up the repository by removing the bundled ICU4X locale core implementation; package-lock.json was modified as part of dependency updates.

Co-Authored-By: Copilot <198982749+Copilot@users.noreply.github.com>
Signed-off-by: Mohamad <Pitty313@proton.me>
Co-Authored-By: Copilot <198982749+Copilot@users.noreply.github.com>
Signed-off-by: Mohamad <Pitty313@proton.me>
…-pr workflow

Agent-Logs-Url: https://github.com/piyyy314/node/sessions/740ddfc9-e12f-462f-b678-05bba5e0c683

Co-authored-by: piyyy314 <192450738+piyyy314@users.noreply.github.com>
…112100354

[WIP] Fix failing GitHub Actions job 74112100354 due to missing repo-token
…logic

fix: add missing icu_locale_core src files to vendor tree
… src/ files

Agent-Logs-Url: https://github.com/piyyy314/node/sessions/2765e39c-b30e-4ec3-9cc3-c25f06df8b2a

Co-authored-by: piyyy314 <192450738+piyyy314@users.noreply.github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@6682284...27d5ce7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…ation

Updating workflow configuration for GitHub actions
Bumps [cachix/cachix-action](https://github.com/cachix/cachix-action) from 1eb2ef646ac0255473d23a5907ad7b04ce94065c to 5f2d7c5294214f71b873db4b969586b980625e71.
- [Release notes](https://github.com/cachix/cachix-action/releases)
- [Changelog](https://github.com/cachix/cachix-action/blob/master/RELEASE.md)
- [Commits](cachix/cachix-action@1eb2ef6...5f2d7c5)

---
updated-dependencies:
- dependency-name: cachix/cachix-action
  dependency-version: 5f2d7c5294214f71b873db4b969586b980625e71
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from 31.10.5 to 31.10.6.
- [Release notes](https://github.com/cachix/install-nix-action/releases)
- [Changelog](https://github.com/cachix/install-nix-action/blob/master/RELEASE.md)
- [Commits](cachix/install-nix-action@ab73962...8aa0397)

---
updated-dependencies:
- dependency-name: cachix/install-nix-action
  dependency-version: 31.10.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.0 to 2.19.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@8d3c67d...ab7a940)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@e46ed2c...9e0d7b8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…/cachix-action-5f2d7c5294214f71b873db4b969586b980625e71

meta: bump cachix/cachix-action from 1eb2ef646ac0255473d23a5907ad7b04ce94065c to 5f2d7c5294214f71b873db4b969586b980625e71
…/install-nix-action-31.10.6

meta: bump cachix/install-nix-action from 31.10.5 to 31.10.6
…ecurity/harden-runner-2.19.3

meta: bump step-security/harden-runner from 2.19.0 to 2.19.3
dependabot Bot and others added 21 commits June 17, 2026 11:12
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/commits)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Fix security vulnerabilities by bumping brace-expansion to 5.0.6
and js-yaml to 4.2.0.
…vulnerabilities

tools: fix moderate severity vulnerabilities in brace-expansion and js-yaml
…encies

Merge PR #32: workflow fixes and Dependabot dependency bumps
…-issues

Harden CodeQL workflow runner and expand scan coverage
Bumps [piscina](https://github.com/piscinajs/piscina) from 5.1.4 to 5.2.0.
- [Release notes](https://github.com/piscinajs/piscina/releases)
- [Changelog](https://github.com/piscinajs/piscina/blob/v5.2.0/CHANGELOG.md)
- [Commits](piscinajs/piscina@v5.1.4...v5.2.0)

---
updated-dependencies:
- dependency-name: piscina
  dependency-version: 5.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the doc group in /tools/doc with 1 update: [@node-core/doc-kit](https://github.com/nodejs/doc-kit).


Updates `@node-core/doc-kit` from 1.3.6 to 1.3.10
- [Commits](https://github.com/nodejs/doc-kit/commits)

---
updated-dependencies:
- dependency-name: "@node-core/doc-kit"
  dependency-version: 1.3.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: doc
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [undici](https://github.com/nodejs/undici) from 6.24.1 to 6.27.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…c/piscina-5.2.0

tools: bump piscina from 5.1.4 to 5.2.0 in /tools/doc
…c/doc-f07adab6b4

tools: bump @node-core/doc-kit from 1.3.6 to 1.3.10 in /tools/doc in the doc group
…c/undici-6.27.0

tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc
Copilot AI review requested due to automatic review settings July 18, 2026 00:46
@piyyy314
piyyy314 requested a review from a team as a code owner July 18, 2026 00:46
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/actions
  • @nodejs/releasers
  • @nodejs/security-wg
  • @nodejs/v8-update

@nodejs-github-bot nodejs-github-bot added the meta Issues and PRs related to the general management of the project. label Jul 18, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR primarily updates tooling dependencies and refreshes multiple GitHub Actions workflow pins/configuration, with additional CI guardrails around tarball contents. It also introduces several repository-root shell scripts that automate merging PRs across unrelated repositories, which does not align with the PR title/purpose.

Changes:

  • Bump Node.js repo tooling dependencies (ESLint toolchain, doc-kit, js-yaml) and update corresponding lockfiles.
  • Update pinned GitHub Actions revisions across many workflows; tweak a few workflows’ behavior (commit-lint selection logic, PR labeling permissions/runner).
  • Add a build-tarball CI step to verify Rust vendoring presence in produced tarballs; add new merge-*.sh scripts for bulk PR management.

Reviewed changes

Copilot reviewed 36 out of 40 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tools/lint-md/package-lock.json Updates js-yaml dependency resolution details.
tools/eslint/package.json Bumps ESLint/Babel/related dependencies for repo lint tooling.
tools/eslint/package-lock.json Lockfile updates for the ESLint tooling dependency bumps.
tools/doc/package.json Updates @node-core/doc-kit version used by docs tooling.
merge-prs.sh Adds a repo-root script to merge PRs across external repos (unrelated to Node.js).
merge-all-prs.sh Adds a bulk merge/close automation script for many external repos (unrelated to Node.js).
merge-all-features.sh Adds a bulk merge/close automation script for many external repos (unrelated to Node.js).
deps/v8/test/mjsunit/regress/regress-3039.js Removes a stray no-op semicolon from a V8 regression test.
.github/workflows/update-wpt.yml Updates pinned actions/checkout revision.
.github/workflows/update-v8.yml Updates pinned actions/checkout and actions/cache revisions.
.github/workflows/update-openssl.yml Updates pinned actions/checkout revision.
.github/workflows/tools.yml Updates pinned actions/checkout and cachix/install-nix-action revisions.
.github/workflows/timezone-update.yml Updates pinned actions/checkout revisions.
.github/workflows/test-shared.yml Updates pinned actions/checkout, cachix/* action revisions.
.github/workflows/test-macos.yml Updates pinned actions/checkout revision.
.github/workflows/test-linux.yml Updates pinned actions/checkout revision.
.github/workflows/test-internet.yml Updates pinned actions/checkout revision.
.github/workflows/stale.yml Updates pinned actions/stale revision.
.github/workflows/scorecard.yml Updates pinned harden-runner/checkout/codeql upload revisions.
.github/workflows/linters.yml Updates pinned actions/checkout revision.
.github/workflows/lint-release-proposal.yml Updates pinned actions/checkout revision.
.github/workflows/license-builder.yml Updates pinned actions/checkout revision.
.github/workflows/label-pr.yml Adjusts permissions/runner/token usage for PR labeling workflow.
.github/workflows/find-inactive-tsc.yml Updates pinned actions/checkout revisions.
.github/workflows/find-inactive-collaborators.yml Updates pinned actions/checkout revision.
.github/workflows/doc.yml Updates pinned actions/checkout revision.
.github/workflows/daily.yml Updates pinned actions/checkout revision.
.github/workflows/daily-wpt-fyi.yml Updates pinned actions/checkout revisions.
.github/workflows/create-release-proposal.yml Updates pinned actions/checkout revision.
.github/workflows/coverage-windows.yml Adds Rust version pin; updates pinned checkout/codecov action revisions.
.github/workflows/coverage-linux.yml Updates pinned checkout/codecov action revisions.
.github/workflows/coverage-linux-without-intl.yml Updates pinned checkout/codecov action revisions.
.github/workflows/commit-queue.yml Updates pinned actions/checkout revision.
.github/workflows/commit-lint.yml Updates pinned checkout; changes commit selection logic for validation.
.github/workflows/codeql.yml Switches runner; updates pinned checkout/codeql action revisions.
.github/workflows/close-stalled.yml Updates pinned actions/stale revision.
.github/workflows/build-tarball.yml Updates pinned checkout; adds tarball validation for vendored Rust crates.
.github/codeql-config.yml Configures additional CodeQL query suites and keeps ignored paths.
Files not reviewed (2)
  • tools/eslint/package-lock.json: Generated file
  • tools/lint-md/package-lock.json: Generated file
Comments suppressed due to low confidence (1)

.github/workflows/coverage-windows.yml:77

  • The workflow now pins RUSTC_VERSION, but the Rust setup step only runs rustup override set without ensuring that the requested toolchain is installed on the runner. This makes the job dependent on what the windows-2025 image happens to include and can start failing when the preinstalled toolchains change.
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/commit-lint.yml Outdated
Comment thread .github/workflows/build-tarball.yml
Comment thread merge-prs.sh
Comment thread merge-all-prs.sh
Comment thread merge-all-features.sh
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@piyyy314

Copy link
Copy Markdown
Author

@copilot Fix the code for all comments in this review thread.

When a review comment includes a suggested change, apply the suggestion exactly.

Do not make changes beyond what is described in the linked review thread.

@avivkeller avivkeller closed this Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

meta Issues and PRs related to the general management of the project.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants