chore: clear Dependabot alerts + drop redundant type assertions#1444
Merged
Conversation
Bumps transitive devDeps to pull in patched versions: - fast-uri 3.1.0 -> 3.1.2 (high: host confusion + path traversal) - postcss 8.5.8 -> 8.5.14 (medium: XSS via unescaped </style>) Also pulls in routine bumps for vitest 4.1.4 -> 4.1.5, eslint-related plugins, turbo, lefthook. All devDeps, no melonjs runtime impact. Closes Dependabot alerts #156, #157, #158. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…slint 8.59 The typescript-eslint bump tightens no-unnecessary-type-assertion. Six assertions were always redundant — the target signature already accepts the source type. Pure cleanup, no runtime impact. - application.ts: drop (cameras as unknown as Map<string, Camera2d>) cast - pointerevent.ts: drop `as EventListener` on already-typed handlers - color.ts: drop `as ColorName` / `as Color` on direct string/Color args Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the monorepo lockfile to pull in patched transitive dependencies (clearing Dependabot alerts) and removes a handful of redundant TypeScript type assertions that are now flagged by typescript-eslint’s no-unnecessary-type-assertion rule.
Changes:
- Refreshed
pnpm-lock.yamlto pick up patched transitive dependencies (notablyfast-uri@3.1.2andpostcss@8.5.14). - Removed redundant type assertions in
Application, pointer event registration, andColorparsing/cloning paths.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pnpm-lock.yaml | Updates resolved transitive versions to include security patches and minor toolchain bumps. |
| packages/melonjs/src/math/color.ts | Drops unnecessary casts when passing strings to parseCSS() and when cloning via colorPool. |
| packages/melonjs/src/input/pointerevent.ts | Removes redundant EventListener assertions when registering move listeners (direct and throttled). |
| packages/melonjs/src/application/application.ts | Removes an unnecessary cast of current.cameras and uses the Map API directly. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Addresses Copilot review on #1444: `throttle` was typed as `(fn: () => void) => (...args: []) => void`, which forced an `as unknown as () => void` cast at every non-zero-arg call site (only one in core: the pointer-event throttled handler). Switching to `<T extends unknown[]>(fn: (...args: T) => void)` preserves the wrapped function's signature end-to-end, so callers like `onMoveEvent(e: Event)` can be passed without casts. Also bumps melonjs to 19.4.0 and adds the corresponding CHANGELOG entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pnpm-lock.yamlto pull in patched transitive devDeps — clears Dependabot alerts added in animation speed #156, add support for Web Audio API #157, Problem with me.loader.load #158.no-unnecessary-type-assertion).Dependabot fixes
Both are transitive (via
serve/vite+vitest), no manifest changes required.Lint cleanup
Locations touched (all auto-fixed by
eslint --fix):application.ts:415— drop(cameras as unknown as Map<…>)castpointerevent.ts:194,204— dropas EventListeneron already-typed handlerscolor.ts:223,413,423— dropas ColorName/as Coloron direct argsPure cleanup. No runtime impact.
Test plan
pnpm -F melonjs buildclean (0 errors, 115 pre-existing warnings)🤖 Generated with Claude Code