Build(deps-dev): Bump @types/node from 25.9.3 to 26.0.0 in /webui

[dependabot]

Bumps @types/node from 25.9.3 to 26.0.0.

Commits

• See full diff in compare view

[cursor]

Bug Scan Summary

Date: 2026-06-22
Commits inspected: 2ae9757e..b75b2eeb (1 commit — @types/node 25.9.3 → 26.0.0)
Result: No critical bugs found.

Investigation:

• Diff is limited to webui/package.json and webui/package-lock.json; only @types/node version changed (lockfile churn is field reordering, no other package bumps).
• @types/node is a devDependency (compile-time type definitions only); it is not bundled into the production WebUI and cannot affect runtime Python backend behavior.
• webui/src has no direct node: imports; the bump only affects TypeScript checking during build.
• Verified on this branch: npm ci, npm run lint (0 errors), and npm run build (tsc -b + Vite) all succeed.

Deduplication check:

• Open PRs searched (@types/node, types/node-26): only this PR (#473).
• Recently merged PRs searched (@types/node, last 14 days): none beyond routine patch bumps already on master.
• Open issues searched (@types/node): none.

Notes: Pre-existing issues tracked from prior scans (import-scan bug in draft PR #468; multi-Arr queue EntryId uniqueness) are unrelated to this dependency bump and were not re-opened here.

  

_{Sent by Cursor Automation: qBitrr - Find critical bugs}

[cursor]

MERGE_AFTER_REWORK: dependency-only dev type update looks low application-risk, but the branch is currently CONFLICTING/DIRTY against master and CI is not clean.

Master gaps addressed / remaining:

• Addressed: no qBitrr/arss.py or application logic changes; multi-qBittorrent delete/pause/resume/placeholder checklist is not applicable.
• Remaining: rebase or regenerate against current master to resolve the conflict, then require green checks before merge.
• Auto-merge eligibility: not currently eligible. This is a Dependabot dependency-only PR, but it is semver-major (@types/node 25.9.3 -> 26.0.0), has no auto-merge request, is conflicting, and has failing/pending checks.

CI summary:

• enable-automerge: pass.
• pre-commit.ci - pr: error/fail, reported as error during mergeable check.
• CodeQL: skipped/neutral.
• Cursor automation checks: pending at review time.

Duplicate check: no duplicate open PR for the same @types/node /webui bump found. Related open Dependabot PRs are for other packages.

Rubric:

• Correctness: Pass. PR-only structural lockfile changes are limited to @types/node and its undici-types dependency.
• Completeness: Pass for the dependency bump itself.
• Concurrency: N/A; no multiprocess Arr worker, SQLite queue model, or qBittorrent client-routing code touched.
• Tests: N/A / not demonstrated by this diff; rely on WebUI install/type/lint CI once conflict is resolved.
• CI hygiene: Fail until merge conflict and pre-commit.ci error are resolved and pending checks complete.
• Diff hygiene: Partial. No app logic changes, but raw package-lock.json churn is large relative to the semantic dependency change.

  

_{Sent by Cursor Automation: qBitrr PR validation triage}

[cursor]

PR Review (Cursor Automation)

Verdict: MERGE_AFTER_REWORK
Rationale: The @types/node bump itself is low-risk, but this PR currently has unrelated Mantine range changes and failing JSON formatting checks.

Master Gaps

• Addressed by this PR: Updates WebUI dev dependency @types/node from 25.9.3 to 26.0.0, with undici-types updated via the lockfile.
• Remaining / not addressed: Restore the unrelated @mantine/* ranges to the master values and commit the pretty-format-json output for webui/package-lock.json so CI is green.

Rubric

Gate	Score	Notes
Correctness	Fail	No application logic changed, but webui/package.json also lowers @mantine/core, @mantine/dates, and @mantine/hooks ranges from ^9.3.2 to ^9.3.0, which is unrelated to the Node types bump.
Completeness	Fail	The dependency bump is present, but the lockfile has not been committed in the repository's expected JSON formatting.
Concurrency	N/A	No qBitrr/arss.py, Peewee/SQLite, qBittorrent delete ordering, or multiprocess Arr worker code touched.
Tests	N/A	No manual/live validation was described; for this dependency-only WebUI dev type bump, the relevant validation is WebUI build/type CI, which is still pending.
CI hygiene	Fail	pre-commit and pre-commit.ci - pr are failing because pretty-format-json modifies webui/package-lock.json. CodeQL checks pass; package/Docker build checks are still pending.
Diff hygiene	Fail	Diff is small, but includes unrelated Mantine runtime dependency range changes and an unformatted package lock. No temporary markdown files detected in the PR diff.

CI Summary

Fail: pre-commit and pre-commit.ci - pr fail on pretty-format-json for webui/package-lock.json. Analyze (actions), Analyze (javascript-typescript), Analyze (python), and CodeQL pass. PR package/Docker build checks are still pending. enable-automerge is skipped, so this is not currently auto-merge eligible.

Duplicate Check

None.

Notes

This is a dependency-only PR and does not require the arss.py multi-instance checklist. Rework should be limited to regenerating/formatting webui/package-lock.json in the repo's expected format and removing the unrelated @mantine/* range changes unless they are intentionally part of a separate dependency update.

  

_{Sent by Cursor Automation: qBitrr PR validation triage}