deps: Upgrade @actions/core,@actions/tool-cache,undici,lefthook & semver

[hustcer]

deps: Upgrade @actions/core,@actions/tool-cache,undici,lefthook & semver

Summary by CodeRabbit

• Chores
  • Updated core dependencies to latest versions for improved compatibility and performance.
  • Updated development dependencies including TypeScript tooling.
  • Enhanced build configuration to optimize module handling during the build process.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR transitions the project to ES modules by adding "type": "module" to package.json, updating TypeScript compiler options to ES2022 and NodeNext, adding explicit .js extensions to module imports, renaming CommonJS output files to .cjs, and updating dependencies including @actions/core to ^3.0.0 and @actions/tool-cache to ^4.0.0.

Changes

Cohort / File(s)	Summary
Module System Configuration Justfile, package.json, tsconfig.json	Migrates to ES modules: adds "type": "module" to package.json, updates TypeScript target to ES2022 and module system to NodeNext, enhances build script to rename CommonJS output to .cjs. Updates dependencies including @actions/core to ^3.0.0 and @actions/tool-cache to ^4.0.0; bumps devDependencies (@biomejs/biome, @types/node, cspell, lefthook, semver).
Source Code src/index.ts, src/setup.ts	Adds explicit .js extensions to ES module imports (setup.js, plugins.js); applies minor formatting cleanup to glob pattern in setup.ts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• #185: Overlapping updates to devDependencies (@biomejs/biome, @types/node, lefthook) in package.json.
• #193: Similar devDependency upgrades (@biomejs/biome, lefthook, cspell) in package.json.
• #148: Concurrent package.json dependency bumps for cspell, lefthook, semver, and @types/node.

Poem

🐰 A migration hops in sight,
From CommonJS to modules bright,
With ES2022's modern glow,
NodeNext paths help code flow,
Explicit imports, .cjs in place—
ESM makes our project trace! 🌟

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Code Analysis

• ES Specification Compliance: The codebase is transitioning from CommonJS to ES modules ("type": "module" in package.json, "module": "NodeNext" in tsconfig). This is a positive modernization step aligning with current JavaScript standards.
• Module Resolution: Updated to "moduleResolution": "NodeNext" which properly supports ES module imports with file extensions (.js imports in TypeScript source files).
• Build Process: The build script now includes post-processing to rename exec-child.js to exec-child.cjs and update references in the bundled output. This handles the CommonJS/ESM compatibility issue.
• Dependency Updates: Multiple dependencies have been updated to newer versions, including critical security-related packages like @actions/core and @actions/tool-cache.

Security Review

• Third-party Dependencies: The updates to @actions/core (^2.0.2 → ^3.0.0) and @actions/tool-cache (^3.0.0 → ^4.0.0) include security patches and improvements. However, there's no evidence of security audit in the changes.
• Build Script Security: The build script uses node -e with string replacement which is generally safe but could be vulnerable to injection if the file content were malicious. Consider using a dedicated script file for better maintainability.
• Path Handling: The path normalization in setup.ts (line 316) properly handles Windows paths, reducing potential path traversal vulnerabilities.

Optimization Suggestions

• Bundle Size Management: The use of @vercel/ncc with minification is good for bundle optimization. Consider adding bundle analysis to track size changes.
• Build Process: The dual implementation (Justfile and package.json scripts) creates maintenance overhead. Consider consolidating build logic to a single source.
• TypeScript Configuration: The upgrade to "target": "ES2022" enables modern JavaScript features but ensure Node.js runtime compatibility for the GitHub Actions environment.

Overall Quality: 4

The changes demonstrate good modernization practices with proper ES module migration and dependency updates. The main improvement needed is consolidating the build logic and adding explicit security validation for the updated dependencies.