build(deps): pin wasm runtime packages so dependabot lockfiles stay in sync

[haasonsaas]

Problem

CI has been red on every dependabot PR since 2026-06-04 (#110–#113). Both Desktop build and ContextKit build die in ~15s at npm ci --ignore-scripts:

npm error `npm ci` can only install packages when your package.json and package-lock.json are in sync.
npm error Missing: @emnapi/core@1.11.0 from lock file
npm error Missing: @emnapi/runtime@1.11.0 from lock file

Root cause: @emnapi/*, @napi-rs/wasm-runtime, and @tybys/wasm-util only existed in the lockfile as transitive deps of the optional wasm32-wasi platform bindings (@rolldown/binding-wasm32-wasi, @tailwindcss/oxide-wasm32-wasi). Dependabot's lockfile regeneration drops dependencies of optional platform packages (known dependabot-core npm/wasi bug), so every grouped bump it rebased after the #105–#107/#54 merges shipped a desynced lock. main itself is in sync — only dependabot-regenerated locks break.

Fix

• Pin the five wasm runtime packages as direct devDependencies — direct deps always survive lockfile regeneration.
• Add $-reference overrides so the bindings' exact pins (rolldown pins @emnapi/core exactly, and bumps it in lockstep with its own releases) collapse onto the single root version instead of demanding nested copies dependabot would drop again.

The wasi bindings are never installed on CI (linux-x64 / darwin-arm64 resolve native bindings), so the override only affects lock resolution, not anything that executes.

Related CI fix (no code change)

The Bazel RBE smoke job's only runner (bazel-rbe-dev-buildfarm-kestrel-bazel, labels evalops-kestrel-rbe) is offline, so jobs queued ~24h and died — this PR's path filter would have re-triggered it. I flipped the workflow's designed kill switch vars.BAZEL_RBE_ENABLED → false until the runner is restored; re-enable with gh api -X PATCH repos/evalops/kestrel/actions/variables/BAZEL_RBE_ENABLED -f name=BAZEL_RBE_ENABLED -f value=true.

Test plan

• npm ci --ignore-scripts --dry-run passes on this branch (lock/manifest sync check — the exact check that fails on the dependabot PRs)
• npm ci --ignore-scripts && npm run build clean locally (electron-vite production build)
• Lock diff reviewed: additive root entries + 1.10.0→1.11.0 bump only; no unrelated churn
• CI Desktop build + ContextKit build green on this PR
• After merge: @dependabot rebase on build(deps-dev): bump @vitejs/plugin-react from 5.2.0 to 6.0.2 #110–build(deps): bump the prod-minor-patch group across 1 directory with 17 updates #113 → regenerated locks retain @emnapi/* and CI goes green

🤖 Generated with Claude Code

[cursor]

PR Summary

Low Risk
Dependency and lockfile-only changes for optional wasm bindings; CI platforms use native bindings, so runtime behavior should be unchanged.

Overview
Pins five wasm-related packages (@emnapi/*, @napi-rs/wasm-runtime, @tybys/wasm-util) as direct devDependencies and adds npm overrides with $-references so the whole tree resolves to those root versions.

This keeps package.json and package-lock.json aligned through Dependabot lockfile regen, which was dropping these as transitive optional wasm32-wasi deps and breaking CI on npm ci --ignore-scripts. The lockfile updates those entries (including @emnapi/core / @emnapi/runtime 1.10.0 → 1.11.0) and treats them as non-optional root dev deps.

^{Reviewed by Cursor Bugbot for commit 9384ba8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​emnapi/​runtime@​1.10.0 ⏵ 1.11.0
	@​emnapi/​core@​1.10.0 ⏵ 1.11.0	-2		+1

View full report