From db47d0a2f8380d82ebc6ec8c454e12947a189c9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 09:09:59 +0200 Subject: [PATCH 1/4] build(deps-dev): bump semver from 7.8.4 to 7.8.5 in the patch-updates group across 1 directory (#355) Bumps the patch-updates group with 1 update in the / directory: [semver](https://github.com/npm/node-semver). Updates `semver` from 7.8.4 to 7.8.5 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.8.4...v7.8.5) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 84fbda1a..7dd8939d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,7 +28,7 @@ "mocha": "^11.7.6", "nan": "^2.27.0", "nyc": "^18.0.0", - "semver": "^7.8.1", + "semver": "^7.8.5", "sinon": "^22.0.0", "source-map-support": "^0.5.21", "tmp": "0.2.7", @@ -5641,9 +5641,9 @@ "license": "MIT" }, "node_modules/semver": { - "version": "7.8.4", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz", - "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==", + "version": "7.8.5", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.5.tgz", + "integrity": "sha512-Y7/KDsb8LjooZpwaqGyulO6DQlksgCncchHGk+sZIY4SBvUocMBEFH5Ur1fI4dV+Jvl0w6cjvucaIi40puRioA==", "dev": true, "license": "ISC", "bin": { diff --git a/package.json b/package.json index c0f35521..b0183af7 100644 --- a/package.json +++ b/package.json @@ -55,7 +55,7 @@ "mocha": "^11.7.6", "nan": "^2.27.0", "nyc": "^18.0.0", - "semver": "^7.8.1", + "semver": "^7.8.5", "sinon": "^22.0.0", "source-map-support": "^0.5.21", "tmp": "0.2.7", From 865c96cca024e700fbe4ec23465deb2232a6d207 Mon Sep 17 00:00:00 2001 From: Ruben Bridgewater Date: Tue, 7 Jul 2026 19:51:45 +0200 Subject: [PATCH 2/4] fix: opt out of node-gyp on install via gypfile:false (#367) Dropping the no-op install script in #363 stopped Yarn Berry's YN0007 warning, but it let npm's publish-time normalization take over: with binding.gyp present in the dev tree (and excluded from the tarball) and no install/preinstall script, npm synthesizes "gypfile": true and "install": "node-gyp rebuild" into the published manifest. Consumers on npm then run node-gyp rebuild against a binding.gyp that isn't in the package and the install fails, which shipped broken in 5.16.0. Setting "gypfile": false suppresses that implicit hook while keeping the manifest free of lifecycle scripts, so both npm and Yarn Berry install the prebuilt binaries without a build step. The regression test now also pins gypfile:false alongside the no-lifecycle-scripts assertion. Fixes: https://github.com/DataDog/pprof-nodejs/pull/364#pullrequestreview-4638668974 --- package.json | 1 + ts/test/test-no-build-scripts.ts | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index b0183af7..509d4b37 100644 --- a/package.json +++ b/package.json @@ -8,6 +8,7 @@ }, "main": "out/src/index.js", "types": "out/src/index.d.ts", + "gypfile": false, "scripts": { "build:asan": "node-gyp configure build --jobs=max --address_sanitizer", "build:tsan": "node-gyp configure build --jobs=max --thread_sanitizer", diff --git a/ts/test/test-no-build-scripts.ts b/ts/test/test-no-build-scripts.ts index 4aee2b12..cb7ba35f 100644 --- a/ts/test/test-no-build-scripts.ts +++ b/ts/test/test-no-build-scripts.ts @@ -3,12 +3,23 @@ import * as fs from 'fs'; import * as path from 'path'; describe('package manifest', () => { + const manifest = path.join(__dirname, '..', '..', 'package.json'); + const pkg = JSON.parse(fs.readFileSync(manifest, 'utf8')); + it('declares no npm build lifecycle scripts (Yarn Berry YN0007)', () => { - const manifest = path.join(__dirname, '..', '..', 'package.json'); - const pkg = JSON.parse(fs.readFileSync(manifest, 'utf8')); const scripts = pkg.scripts || {}; const hooks = ['preinstall', 'install', 'postinstall']; const present = hooks.filter(name => scripts[name] !== undefined); assert.deepStrictEqual(present, []); }); + + it('opts out of node-gyp on install via gypfile:false (npm implicit rebuild)', () => { + // binding.gyp lives in the dev tree (excluded from the published tarball). + // Without gypfile:false, npm's publish-time normalization synthesizes + // "gypfile": true and "install": "node-gyp rebuild" into the registry + // manifest, so consumers run node-gyp rebuild against a missing + // binding.gyp and the install fails. Pinning gypfile:false suppresses + // that hook while keeping the manifest free of lifecycle scripts. + assert.strictEqual(pkg.gypfile, false); + }); }); From 1d5936e35e6677f2b372123259e60f690ef9d491 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Jul 2026 09:43:47 +0000 Subject: [PATCH 3/4] build(deps-dev): bump the minor-updates group with 2 updates (#368) Bumps the minor-updates group with 2 updates: [eslint-plugin-n](https://github.com/eslint-community/eslint-plugin-n) and [nan](https://github.com/nodejs/nan). Updates `eslint-plugin-n` from 18.1.0 to 18.2.1 - [Release notes](https://github.com/eslint-community/eslint-plugin-n/releases) - [Changelog](https://github.com/eslint-community/eslint-plugin-n/blob/master/CHANGELOG.md) - [Commits](https://github.com/eslint-community/eslint-plugin-n/compare/v18.1.0...v18.2.1) Updates `nan` from 2.27.0 to 2.28.0 - [Changelog](https://github.com/nodejs/nan/blob/main/CHANGELOG.md) - [Commits](https://github.com/nodejs/nan/compare/v2.27.0...v2.28.0) --- updated-dependencies: - dependency-name: eslint-plugin-n dependency-version: 18.2.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: nan dependency-version: 2.28.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 16 ++++++++-------- package.json | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7dd8939d..2196e4e8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -22,11 +22,11 @@ "clang-format": "^1.8.0", "codecov": "^3.8.3", "deep-copy": "^1.4.2", - "eslint-plugin-n": "^18.0.1", + "eslint-plugin-n": "^18.2.1", "gts": "^7.0.0", "js-green-licenses": "^4.0.0", "mocha": "^11.7.6", - "nan": "^2.27.0", + "nan": "^2.28.0", "nyc": "^18.0.0", "semver": "^7.8.5", "sinon": "^22.0.0", @@ -2245,9 +2245,9 @@ } }, "node_modules/eslint-plugin-n": { - "version": "18.1.0", - "resolved": "https://registry.npmjs.org/eslint-plugin-n/-/eslint-plugin-n-18.1.0.tgz", - "integrity": "sha512-hkUm9EtnFV2h2fE16jNVUfCVUqvPzI7fGLsFdun5lFt/pbmf2kCgDx6ymi9rx+NCUSggBmurJCZOfG20JBs/kg==", + "version": "18.2.1", + "resolved": "https://registry.npmjs.org/eslint-plugin-n/-/eslint-plugin-n-18.2.1.tgz", + "integrity": "sha512-aO3C9//yq8JIvYOi/T+jPvcZ9hZzpwzbR8esrYpFtgE9vpbyM8kn42AQOtIqYspVmpaSWr8X+nrlQuAJYxXAaw==", "dev": true, "license": "MIT", "dependencies": { @@ -4290,9 +4290,9 @@ "license": "ISC" }, "node_modules/nan": { - "version": "2.27.0", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.27.0.tgz", - "integrity": "sha512-hC+0LidcL3XE4rp1C4H54KujgXKzbfyTngZTwBByQxsOxCEKZT0MPQ4hOKUH2jU1OYstqdDH4onyHPDzcV0XdQ==", + "version": "2.28.0", + "resolved": "https://registry.npmjs.org/nan/-/nan-2.28.0.tgz", + "integrity": "sha512-fTsDz99OTq2sVePhGdp4qQhggZFtKr64ZNVyVajRKtMOkJxYekplBh577PiJB12v/D3s2E5cGtOI45LWp6rnLQ==", "dev": true, "license": "MIT" }, diff --git a/package.json b/package.json index 509d4b37..0b99b577 100644 --- a/package.json +++ b/package.json @@ -50,11 +50,11 @@ "clang-format": "^1.8.0", "codecov": "^3.8.3", "deep-copy": "^1.4.2", - "eslint-plugin-n": "^18.0.1", + "eslint-plugin-n": "^18.2.1", "gts": "^7.0.0", "js-green-licenses": "^4.0.0", "mocha": "^11.7.6", - "nan": "^2.27.0", + "nan": "^2.28.0", "nyc": "^18.0.0", "semver": "^7.8.5", "sinon": "^22.0.0", From 2149cddc497ceef5974549f9e9bd42488256ed44 Mon Sep 17 00:00:00 2001 From: Attila Szegedi Date: Fri, 10 Jul 2026 12:12:24 +0200 Subject: [PATCH 4/4] v5.16.1 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2196e4e8..13dd4bcb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@datadog/pprof", - "version": "5.16.0", + "version": "5.16.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@datadog/pprof", - "version": "5.16.0", + "version": "5.16.1", "license": "Apache-2.0", "dependencies": { "node-gyp-build": "^4.8.4", diff --git a/package.json b/package.json index 0b99b577..9e0c9c19 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@datadog/pprof", - "version": "5.16.0", + "version": "5.16.1", "description": "pprof support for Node.js", "repository": { "type": "git",