[js] create task to update dependencies

[titusfortner]

User description

💥 What does this PR do?

Updates JavaScript dependencies for selenium-webdriver and grid-ui packages. The node:update command wasn't added in time for the recent release, but is now included in the pre-release workflow for next release.

Adds two new rake tasks:

• node:pin - Refreshes the pnpm lockfile without changing dependency ranges
• node:update - Updates dependencies within their specified ranges and refreshes the lockfile

🔧 Implementation Notes

The node:update task uses pnpm update -r by default, which updates within existing semver ranges. The --latest flag is not used by default to avoid unexpected breaking changes from major version bumps.

💡 Additional Considerations

Determine when/if we want to use the --latest option to bump version ranges.

🔄 Types of changes

• Cleanup (formatting, renaming)

---

PR Type

Enhancement, Tests

---

Description

• Add node:pin and node:update rake tasks for JavaScript dependency management

• Update JavaScript dependencies in selenium-webdriver and grid-ui packages

• Integrate Node.js dependency updates into pre-release workflow alongside Maven updates

• Minor HTML formatting fix removing unnecessary semicolons from event handlers

---

Diagram Walkthrough

flowchart LR
  A["Rakefile"] -->|"Add node:pin task"| B["Pin dependencies via pnpm lockfile"]
  A -->|"Add node:update task"| C["Update dependencies within semver ranges"]
  D["Pre-release workflow"] -->|"Call node:update"| C
  E["package.json files"] -->|"Bump versions"| F["Updated dependencies"]
  C -->|"Invoke"| B

Loading

File Walkthrough

	Relevant files
Enhancement	Rakefile Add Node.js dependency management rake tasks                          Rakefile Add node:pin task to refresh pnpm lockfile without changing dependency ranges Add node:update task to update dependencies within semver ranges with optional --latest flag Both tasks use Bazel to execute pnpm commands +14/-0
Dependencies	package.json Update JavaScript dependencies to latest patch/minor versions javascript/selenium-webdriver/package.json Update ws from ^8.18.3 to ^8.19.0 Update @eslint/js from ^9.39.1 to ^9.39.2 Update eslint from ^9.39.1 to ^9.39.2 Update eslint-plugin-n from ^17.23.1 to ^17.23.2 Update eslint-plugin-prettier from ^5.5.4 to ^5.5.5 Update express from ^4.21.2 to ^4.22.1 Update prettier from ^3.6.2 to ^3.8.0 +7/-7      package.json Update ts-jest dependency                                                                javascript/grid-ui/package.json Update ts-jest from ^29.4.5 to ^29.4.6 +1/-1
Configuration changes	pre-release.yml Integrate Node.js dependency updates into pre-release workflow .github/workflows/pre-release.yml Rename step from "Update Maven dependency versions" to "Update Dependency versions" Add ./go node:update command to update Node.js dependencies Update step ID from maven to dependencies Update commit message and workflow summary to reflect both Maven and Node.js updates +5/-4
Formatting	click.html Remove semicolons from HTML event handlers                              javascript/selenium-webdriver/lib/test/data/actions/click.html Remove unnecessary semicolons from onclick and ondblclick event handler attributes +1/-1

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply-chain automation Description: The workflow now runs ./go node:update and commits the results, which introduces a potential dependency supply-chain risk if this workflow can be triggered in contexts where untrusted code/inputs could influence dependency resolution (e.g., if it runs on PRs or with writable tokens), since it performs networked package updates and then auto-commits changes. pre-release.yml [148-157] Referred Code - name: Update Dependency versions id: dependencies run: | ./go java:update ./go node:update if git diff --staged --quiet; then echo "updated=false" >> "$GITHUB_OUTPUT" else git commit -m "update dependency versions" echo "updated=true" >> "$GITHUB_OUTPUT"
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Command failure handling: The new node:pin/node:update tasks rely on Bazel.execute/git staging without explicit error handling or contextual messaging in this diff, so it is unclear whether pnpm/bazel failures are surfaced with actionable context. Referred Code desc 'Pin JavaScript dependencies via pnpm lockfile' task :pin do Bazel.execute('run', ['--', 'install', '--dir', Dir.pwd, '--lockfile-only'], '@pnpm//:pnpm') @git.add('pnpm-lock.yaml') end desc 'Update JavaScript dependencies and refresh lockfile (use "latest" to bump ranges)' task :update, [:latest] do |_task, arguments| args = ['--', 'update', '-r', '--dir', Dir.pwd] args.insert(4, '--latest') if arguments[:latest] == 'latest' Bazel.execute('run', args, '@pnpm//:pnpm') Rake::Task['node:pin'].invoke end Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Fix incorrect command-line argument construction Suggestion Impact: The update task now constructs the argument list in stages, conditionally appending --latest before adding the --dir option, correcting the previous insertion-based ordering. code diff: - args = ['--', 'update', '-r', '--dir', Dir.pwd] - args.insert(4, '--latest') if arguments[:latest] == 'latest' + args = ['--', 'update', '-r'] + args << '--latest' if arguments[:latest] == 'latest' + args += ['--dir', Dir.pwd] Fix the pnpm update command by constructing arguments progressively to ensure the --latest flag is placed correctly before the --dir option. Rakefile [534-540] desc 'Update JavaScript dependencies and refresh lockfile (use "latest" to bump ranges)' task :update, [:latest] do |_task, arguments| - args = ['--', 'update', '-r', '--dir', Dir.pwd] - args.insert(4, '--latest') if arguments[:latest] == 'latest' + args = ['--', 'update', '-r'] + args.push('--latest') if arguments[:latest] == 'latest' + args.push('--dir', Dir.pwd) Bazel.execute('run', args, '@pnpm//:pnpm') Rake::Task['node:pin'].invoke end [Suggestion processed] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a bug where the pnpm command would fail due to incorrect argument ordering, and the proposed fix is robust and correct.	High
Update

[Copilot]

Pull request overview

This PR adds automated JavaScript dependency management capabilities to the Selenium project and updates Node.js dependencies to their latest compatible versions.

Changes:

• Added node:pin and node:update rake tasks for JavaScript dependency management via pnpm
• Updated JavaScript dependencies in selenium-webdriver and grid-ui packages to latest patch/minor versions
• Integrated Node.js dependency updates into the pre-release workflow alongside existing Maven updates

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
Rakefile	Adds two new rake tasks: node:pin for refreshing pnpm lockfile and node:update for updating dependencies within semver ranges
javascript/selenium-webdriver/package.json	Updates 7 dev dependencies (ws, eslint ecosystem, express, prettier) to latest compatible versions
javascript/grid-ui/package.json	Updates ts-jest from 29.4.5 to 29.4.6
javascript/selenium-webdriver/lib/test/data/actions/click.html	Removes unnecessary semicolons from HTML event handler attributes (formatting cleanup)
.github/workflows/pre-release.yml	Integrates node:update command into pre-release workflow and updates related documentation
pnpm-lock.yaml	Automated lockfile update reflecting all dependency version changes

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported