You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add "auto" to the api option and make it the default. When the Sass implementation supports the modern compiler, "auto" enables it and reuses a single long-running compiler across files, which significantly improves build performance; otherwise it falls back to the modern API. (by @alexander-akait in #1319)
Convert source to native ECMAScript modules. The package now declares "type": "module" and exposes both an ESM and a CommonJS build via the exports field. CommonJS consumers continue to work via require, and ESM consumers can now import the loader directly. (by @alexander-akait in #1322)
Add "auto" to the api option and make it the default. When the Sass implementation supports the modern compiler, "auto" enables it and reuses a single long-running compiler across files, which significantly improves build performance; otherwise it falls back to the modern API. (by @alexander-akait in #1319)
Convert source to native ECMAScript modules. The package now declares "type": "module" and exposes both an ESM and a CommonJS build via the exports field. CommonJS consumers continue to work via require, and ESM consumers can now import the loader directly. (by @alexander-akait in #1322)
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
No blocking findings.
Security
I did not find any current public advisories or known CVEs affecting sass-loader@16.0.8.
The package still resolves to the same direct runtime dependency (neo-async), so this PR does not expand the dependency surface.
Dependabot notes an upstream prepare script change, but that is package-maintainer workflow rather than an install-time script this repo executes from the npm registry package. Local yarn install --immutable completed cleanly with no dependency-script issues.
Safety of merging
The main breaking changes between 13.3.3 and 16.x are:
14.0.0 raises the minimum Node version to >=18.12.0 and removes fibers support.
15.0.0 prefers sass-embedded over sass when both are installed.
16.0.0 defaults to the modern Sass JS API.
This repository already appears aligned with those changes:
webpack.config.js explicitly sets sass-loader to api: "modern".
The only configured sassOptions use loadPaths, which is valid with the modern API.
I did not find legacy-only loader options in this repo (data, file, legacy importer/functions config, etc.).
I did not find ~ Sass imports that would raise additional migration concerns.
The repo pins Node 20.20.0 in .tool-versions, and CI uses Node 20 in .github/workflows/ci-cd.yml, so the Node floor increase is satisfied in the supported environments.
The repo depends on sass, not sass-embedded, so the 15.0.0 default-preference change should not alter behavior here.
Net: for this codebase, the semver-major risk is real in general, but the repository is already configured in the direction that sass-loader@16 expects.
Tests
Local:
yarn install --immutable ✅
yarn lint ✅
yarn stylelint ✅
CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites, 835 tests passed)
yarn build ✅
Build completed without Sass errors; only the existing webpack asset-size/performance warnings were reported.
Hosted PR checks at review time:
lint ✅
test ✅
deploy-branch / build-deploy ✅
test-cypress is still in progress
I could not complete a local Cypress run in this VM because the Cypress desktop binary was not present and repeated cypress install attempts did not yield a usable local binary here.
Recommendation
Merge.
Residual risk looks low for this repository. The only thing still worth watching is the hosted test-cypress job before merging, since that is the remaining browser-level validation not yet complete in this environment.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
The reason will be displayed to describe this comment to others. Learn more.
No blocking findings.
Security
I couldn't find any published CVEs/advisories affecting sass-loader@16.0.8; public package-security sources currently show no known direct vulnerabilities for this package.
The runtime supply-chain footprint is effectively unchanged: the lockfile still resolves the same direct dependency (neo-async), and the newly listed @rspack/core peer is optional and unused in this repo.
sass-loader does not add preinstall/install/postinstall hooks. Upstream's prepare script changed, but that script is not executed for normal npm registry installs, so it does not introduce new install-time risk here.
Safety Of Merging
The meaningful upstream breaking changes across 13.3.3 -> 16.0.8 are: minimum Node version >=18.12.0 (v14), preferring sass-embedded when present (v15), and using the modern Sass JS API by default (v16).
This repository looks compatible with those changes: CI is configured for Node 20 in .github/workflows/ci-cd.yml, the webpack rule already opts into api: "modern" in webpack.config.js, and it only uses modern-compatible options (sassOptions.loadPaths and sourceMap).
I did not find any repo usage of fibers, node-sass, sass-embedded, or legacy-only loader options that would make this bump risky.
Test Results
Local on the PR head:
yarn install --immutable ✅
yarn lint ✅
CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites / 835 tests passed)
yarn build ✅ (webpack compiled successfully)
I could not complete local Cypress because this VM could not download the Cypress binary from download.cypress.io (SSL_ERROR_SYSCALL / binary not installed).
The PR's GitHub Actions test-cypress check has completed successfully, so the hosted full suite is green.
Recommendation
Recommend merge. The main major-version risks are already accounted for by this repo's current setup, and both local CI-style checks and hosted CI passed.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps sass-loader from 13.3.3 to 17.0.0.
Release notes
Sourced from sass-loader's releases.
... (truncated)
Changelog
Sourced from sass-loader's changelog.
... (truncated)
Commits
3b00be7chore(release): new release (#1317)8e7c6bdchore(deps): update (#1323)a4e28f3feat: add JSDoc type-checking and declaration emission (#1312)a3db95bfeat!: convert source to native ES modules with dual ESM/CJS build (#1322)8ac53f9test: migrate from jest to node:test runner (#1321)90a9170feat: add api "auto" and use it by default (#1319)07c921bfeat!: minimum supported NodeJS version is22.11.0(#1318)cf34e2bfeat!: minimum supported NodeJS version is22.11.0ce46d50ci: add changelog release action6fddce2ci: lock actions (#1315)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for sass-loader since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.