Bump sass-loader from 13.3.3 to 16.0.7

[dependabot]

Bumps sass-loader from 13.3.3 to 16.0.7.

Release notes

Sourced from sass-loader's releases.

v16.0.7

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

v16.0.6

Bug Fixes

• cache fs calls for modern API

v16.0.5

16.0.5 (2025-02-14)

Bug Fixes

• allow to import CSS using @use with css extension (#1254) (3352e49)

v16.0.4

16.0.4 (2024-12-04)

Bug Fixes

• include sources map сontent for modern api by default (#1250) (70a10ff)

v16.0.3

16.0.3 (2024-11-01)

Bug Fixes

• modern-compiler: dispose redundant compilers (#1245) (004ed38)

v16.0.2

16.0.2 (2024-09-20)

Bug Fixes

• error message from sass (#1231) (c75c606)

v16.0.1

16.0.1 (2024-08-19)

Bug Fixes

... (truncated)

Changelog

Sourced from sass-loader's changelog.

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

16.0.6 (2025-10-23)

Bug Fixes

• cache fs calls for modern API

16.0.5 (2025-02-14)

Bug Fixes

• allow to import CSS using @use with css extension (#1254) (3352e49)

16.0.4 (2024-12-04)

Bug Fixes

• include sources map сontent for modern api by default (#1250) (70a10ff)

16.0.3 (2024-11-01)

Bug Fixes

• modern-compiler: dispose redundant compilers (#1245) (004ed38)

16.0.2 (2024-09-20)

Bug Fixes

• error message from sass (#1231) (c75c606)

16.0.1 (2024-08-19)

Bug Fixes

• generate correct sourceMaps for modern-compiler api (#1228) (f862f7a)

16.0.0 (2024-07-26)

... (truncated)

Commits

• 694c8d9 chore(release): 16.0.7
• 147d6ab ci: lint fix (#1294)
• 24d12ec fix: update peer dependency for @​rspack/core v2 (#1291)
• 068201f docs: fix link (#1287)
• 57c9282 chore(release): 16.0.6
• fbc1af9 perf: cache fs calls for modern API (#1284)
• 900a5f8 chore: rewrite link to correct location (#1282)
• 4d54d53 chore: restore to old content
• e9dab32 chore: revise readme information (#1280)
• 1acdbd0 chore: remove some redundant stuff (#1279)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cursor]

Stale comment

No blocking issues found in this dependency bump.

Security

• I could not find any published GitHub/Snyk advisories for sass-loader 13.3.3 or 16.0.7, and the upstream webpack/sass-loader repo currently shows no published vulnerability alerts.
• The lockfile change is narrow: it updates sass-loader itself and keeps the same direct dependency footprint (neo-async remains the only listed package dependency for the loader). I did not find any new supply-chain concern introduced by this PR.
• I also did not find any resolved security issue that would make this an urgent patch-level security upgrade.

Safety Of Merging

• This is a semver-major update, so the relevant upstream breaking changes are the ones introduced in 14.x-16.x:
• 14.0.0 raised the minimum supported Node.js version to 18.12.0 and removed fibers support.
• 15.0.0 prefers sass-embedded over sass when both are present.
• 16.0.0 switched the default Sass JS API to the modern API.
• In this repository, the only sass-loader usage is in webpack.config.js, and it already sets api: "modern" plus sassOptions.loadPaths, so the biggest 16.x behavior change is effectively already opted into here.
• This repo depends on sass, not sass-embedded, so the 15.x default preference change should not affect current builds.
• The one practical caveat is Node version: the repo itself is pinned to Node 20.20.0 in .tool-versions, and the GitHub Actions workflow also uses Node 20, so CI should be fine. But anyone still building locally on Node 16 will need to upgrade before using sass-loader 16.x.

Local Test Results

• yarn install --immutable: passed (with existing peer-dependency warnings, but no install failure from this bump)
• yarn lint: passed
• yarn build: passed; webpack compiled successfully
• CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter: passed (92 suites, 820 tests)
• yarn start: passed; webpack dev server compiled successfully
• curl -I http://localhost:3011/web-component.html: returned 200 OK
• Cypress e2e could not be completed in this environment because the Cypress binary was not preinstalled and downloading it from download.cypress.io failed with an SSL/network error. That looks like an environment/network restriction, not a regression caused by this PR.

Recommendation

Merge with caution.

The upgrade looks safe for this repository as currently configured, and I did not find a security reason to hold it. The only thing I would verify outside CI is that any local/devcontainer/preview environments still in use are on Node 18.12+ (ideally Node 20, matching the repo config and workflow).

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}

[cursor]

No blocking findings.

Security

• I did not find any published GHSA/CVE/npm advisory affecting sass-loader@16.0.7; upstream 16.0.7 is a patch release whose only documented change is widening the optional @rspack/core peer for v2 support.
• The lockfile diff does not add new transitive runtime dependencies beyond the sass-loader tarball update itself; it still depends on neo-async, with sass, sass-embedded, node-sass, and webpack remaining peer dependencies.
• Dependabot flagged an upstream prepare script change, but the published package does not introduce preinstall/install/postinstall hooks. For a normal registry dependency, that does not create a new install-time execution path in this repo.

Safety of merging

• The meaningful breaking changes between 13.3.3 and 16.x are:
  1. 14.0.0 requires Node >=18.12.0 and removes fibers support.
  2. 15.0.0 prefers sass-embedded over sass when sass-embedded is installed.
  3. 16.0.0 defaults to the modern Sass JS API.
• This repository already lines up with those changes:
  • .tool-versions and .github/workflows/ci-cd.yml are on Node 20.
  • sass-embedded is not installed here, so the loader continues to use sass.
  • webpack.config.js already sets api: "modern", and the current sassOptions.loadPaths / sourceMap configuration built successfully unchanged.
• I did not find repo code that appears coupled to the removed fibers path or to legacy Sass API-only options.

Local verification

• yarn install --immutable: passed (existing peer-dependency warnings only)
• yarn lint: passed
• CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter: passed (92 suites, 820 tests)
• yarn build: passed
• Local Cypress was not runnable on this agent: the Cypress package is present, but the desktop binary is not cached and download.cypress.io was unreachable from the agent (SSL_ERROR_SYSCALL) when I tried to install it.

Current PR checks

• GitHub Actions lint: passing
• GitHub Actions test: passing
• GitHub Actions deploy-branch / build-deploy: passing
• GitHub Actions test-cypress: still in progress at review time

Recommendation
Merge with caution: I do not see a security or code-level blocker, but because this is a semver-major build-tool upgrade and local Cypress could not be executed on this agent, I would wait for the PR’s test-cypress job to finish green before merging. If that check passes, this looks safe to merge.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}