Skip to content

build(deps-dev): bump pre-commit from 1.2.2 to 2.0.0#95

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pre-commit-2.0.0
Closed

build(deps-dev): bump pre-commit from 1.2.2 to 2.0.0#95
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pre-commit-2.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Bumps pre-commit from 1.2.2 to 2.0.0.

Changelog

Sourced from pre-commit's changelog.

2.0.0

  • Breaking: requires Node.js 16.13 or newer. engines.node is now declared as ">=16.13.0" to match the minimum required by which@4.
  • Breaking: cross-spawn upgraded ^5^7.0.5, fixing the ReDoS vulnerability (GHSA-3xgq-45jj-v275). cross-spawn's spawnSync now returns status/signal/error instead of code; index.js was updated to match.
  • Breaking: which upgraded 1.2.x^4. The spawn-sync runtime dependency is dropped in favor of cross-spawn's built-in spawnSync.
  • Breaking: the generated .git/hooks/pre-commit wrapper is rewritten. It is now a small bash script that execs the package's hook file via an absolute path (single-line invocation instead of multi-line inline bash). Anyone parsing the wrapper file will need to adjust.
  • Breaking: hook file mode tightened from 0777 to 0755 (CIS 6.1.10).
  • Breaking: submodule installs now write to <super>/.git/modules/<sub>/hooks/pre-commit. The previous behavior silently walked up to the super-project's .git directory and installed there because the gitdir-parsing branch was unreachable. Linked worktrees (whose .git is also a file) are handled correctly too.
  • The hook now unsets GIT_LITERAL_PATHSPECS, so commits triggered from emacs/magit behave the same as on the command line (magit FAQ).
  • The hook now cds to the git root before resolving pre-commit via require.resolve, so Yarn Plug'n'Play and GUI git clients that invoke hooks with an unexpected cwd resolve dependencies correctly.
  • The hook is resilient to a missing pre-commit package: switching to a branch without node_modules (or removing the package) no longer blocks commits — it exits 0 with a warning instead of throwing a Node module-not-found stack trace.
  • Fixed handling of null close codes and signal-terminated scripts; the hook no longer treats a signal kill as success.
  • Hardened install.js gitdir parsing against missing matches and bad input; gitdir: paths are resolved relative to the directory containing the .git file (was incorrectly resolved against the package root).
  • install.js: typo fix ("backuped""backed up").
  • Dev tooling refresh: mocha 3 → 10, assume 1 → 2, dropped istanbul for nyc.

1.0.2

  • Check /usr/local/bin/node if we cannot find the binaries in the PATH.

1.0.1

  • Corrected the hook file so it doesn't attempt to run your index.js but ours instead.

1.0

  • Create symlinks instead of a copying the hook file so we can depend on modules.
  • More readable output messages.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps-dev): bump pre-commit from 1.2.2 to 2.0.0
aae1e07 
Bumps [pre-commit](https://github.com/observing/pre-commit) from 1.2.2 to 2.0.0.
- [Release notes](https://github.com/observing/pre-commit/releases)
- [Changelog](https://github.com/observing/pre-commit/blob/master/CHANGELOG.md)
- [Commits](https://github.com/observing/pre-commit/commits)

---
updated-dependencies:
- dependency-name: pre-commit
  dependency-version: 2.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update an action file major Pull requests with breakable changes labels May 6, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 6, 2026 07:16
@dependabot dependabot Bot requested review from Ninerian and PujaSingh7655 May 6, 2026 07:16
@dependabot dependabot Bot added dependencies Pull requests that update an action file major Pull requests with breakable changes labels May 6, 2026
@maximizeIT maximizeIT mentioned this pull request May 12, 2026
Merged
@maximizeIT
Copy link
Copy Markdown
Contributor

maximizeIT commented May 12, 2026

Closed in favor of combined PR #97 which includes all open dependabot updates together.

@maximizeIT maximizeIT closed this May 12, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 12, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/pre-commit-2.0.0 branch May 12, 2026 18:08
maximizeIT added a commit that referenced this pull request May 13, 2026
@maximizeIT
Merge pull request #97 from Staffbase/chore/combine-dependabot-prs
cdb9673 
chore(deps+tests): combine dependabot PRs (#89,#90,#93,#94,#95,#96) + improve coverage to 99.4%
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninerian Ninerian Awaiting requested review from Ninerian Ninerian is a code owner automatically assigned from Staffbase/need-for-speed-devs

@PujaSingh7655 PujaSingh7655 Awaiting requested review from PujaSingh7655 PujaSingh7655 is a code owner automatically assigned from Staffbase/need-for-speed-devs

Assignees

No one assigned

Labels

dependencies Pull requests that update an action file major Pull requests with breakable changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maximizeIT