chore(deps-dev): bump workbox-webpack-plugin from 7.3.0 to 7.4.0

[dependabot]

Bumps workbox-webpack-plugin from 7.3.0 to 7.4.0.

Release notes

Sourced from workbox-webpack-plugin's releases.

Workbox v7.4.0

v7.4.0

• Critical dependency updates.

Commits

• fa702fe v7.4.0
• c34bf28 Merge pull request #3441 from GoogleChrome/chore/npm-audit
• cf21cb6 Merge pull request #3440 from GoogleChrome/chore/update-actions
• 5083f3f Update dependencies
• cf91300 Merge pull request #3439 from GoogleChrome/dependabot/npm_and_yarn/js-yaml-3....
• b6825a9 Update upload-sarif action
• d971ff7 Update GitHub Actions to latest versions
• 076adc0 Bump js-yaml from 3.14.1 to 3.14.2
• 69478fd Merge pull request #3433 from GoogleChrome/dependabot/npm_and_yarn/packages/w...
• 0d9b8b3 Merge pull request #3434 from GoogleChrome/dependabot/npm_and_yarn/glob-11.1.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by swissspidy, a new releaser for workbox-webpack-plugin since your current version.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[learning-equality-bot]

👋 Thanks for contributing!

We will assign a reviewer within the next two weeks. In the meantime, please ensure that:

• You ran pre-commit locally
• All issue requirements are satisfied
• The contribution is aligned with our Contributing guidelines. Pay extra attention to Using generative AI. Pull requests that don't follow the guidelines will be closed.

We'll be in touch! 😊

[learning-equality-bot]

Season’s greetings! 👋

We’d like to thank everyone for another year of fruitful collaborations, engaging discussions, and for the continued support of our work. Learning Equality will be on holidays from December 22 to January 5. We look forward to much more in the new year and wish you a very happy holiday season!

Are you preparing for Google Summer of Code? See our GSoC guidelines.

[rtibblesbot]

Dependency Update Review

Package: workbox-webpack-plugin 7.3.0 → 7.4.0
Semver risk: Minor
Dependency type: devDependency
CI status: Passing (frontend tests, build, linting all green)

Changelog Analysis

Sources consulted:

• Release notes v7.4.0
• Commit comparison v7.3.0...v7.4.0 (101 commits)

Breaking changes: None found.

Deprecations: None found.

Security fixes: The release includes npm audit fix runs across workbox packages and updates to transitive dependencies (js-yaml 3.14.1 → 3.14.2, glob, pbkdf2, etc.) — this is the "critical dependency updates" referenced in the release notes.

Other notable changes:

• Fix for potential unhandled rejections in StrategyHandler.doneWaiting (PR #3320)
• Node.js engine requirement bumped from >=16.0.0 to >=20.0.0 in workbox-build and workbox-webpack-plugin — compatible with this project's node: 20.x engine requirement
• Internal CI and tooling updates (GitHub Actions, rollup version)

New maintainer: This version was published to npm by swissspidy (Pascal Birchler), a new releaser for workbox-webpack-plugin. This is a known Workbox/Google Chrome team contributor.

Compatibility Assessment

• Project uses Node 20.x: compatible with the new >=20.0.0 engine requirement ✓
• No breaking API changes: no code migration needed ✓
• Peer dependency requirements unchanged (webpack ^4.4.0 || ^5.91.0): satisfied ✓
• Lockfile changes contain only expected transitive dependency updates ✓
• No prior reverts or issues with this upgrade found ✓

Recommendation

APPROVE — Low-risk minor bump of a dev dependency. The release is primarily internal dependency maintenance and security fixes. CI confirms full compatibility.

[rtibbles]

@dependabot rebase

[rtibblesbot]

Dependency Update Review

Package: workbox-webpack-plugin 7.3.0 → 7.4.0
Semver risk: Minor
Dependency type: devDependency
CI status: Passing (frontend build, frontend tests, linting, message files all green)

Changelog Analysis

Sources consulted:

• Release notes v7.4.0
• PR #3441 — npm audit fix
• PR #3440 — update GitHub Actions

Breaking changes: None found.

Deprecations: None found.

Security fixes: The release notes describe this as "critical dependency updates" — workbox's own transitive dependencies were updated via npm audit fix to address vulnerabilities in workbox's build/test toolchain. No API changes.

Other notable changes: GitHub Actions workflow updates in the workbox repo itself. No user-facing or API-level changes.

Compatibility Assessment

• Project uses affected APIs: no (no API changes in this release)
• Peer dependency changes: no (webpack ^4.4.0 || ^5.91.0 — unchanged)
• Node engine requirement: >=20.0.0 — compatible with project's node: 20.x
• Code changes required: no
• New maintainer published this version (swissspidy) — noted but this is a known Workbox/Chrome team member
• Lockfile changes: only expected transitive dependency updates

Recommendation

APPROVE — Low-risk minor bump of a dev dependency. No API changes, no breaking changes, CI passing. The release is purely internal dependency maintenance.

[rtibblesbot]

Dependency Update Review

Package: workbox-webpack-plugin 7.3.0 → 7.4.0
Semver risk: Minor
Dependency type: devDependency
CI status: Passing — frontend build, frontend tests, linting, and message build all green.

Changelog Analysis

Sources consulted:

• Release notes v7.4.0
• PR #3441 — npm audit fix
• PR #3440 — Update GitHub Actions

This is a housekeeping release with no API changes. The v7.4.0 release notes state "Critical dependency updates" and the underlying changes are:

• npm audit fix to update transitive dependencies (#3441)
• GitHub Actions version updates to fix deprecated CI workflows (#3440)
• Bump js-yaml from 3.14.1 to 3.14.2 (#3439)

Breaking changes: None.
Deprecations: None.
Security fixes: Transitive dependency audit fixes (no specific CVEs listed).

Compatibility Assessment

• Project uses affected APIs: No — no workbox-webpack-plugin API changes in this release.
• Peer dependency changes: None.
• Code changes required: None — only package.json and pnpm-lock.yaml changed, as expected.
• Prior failed attempts: None.

Note: This version was published to npm by swissspidy (Pascal Birchler), a new releaser for this package. He is a known Workbox/Google Chrome contributor who authored and merged the upstream PRs.

Recommendation

APPROVE — Low-risk minor bump of a devDependency containing only internal dependency maintenance. CI passing.

[rtibbles]

No concerns from changelog. Good to merge.