build(deps-dev): bump monocart-coverage-reports from 2.12.9 to 2.12.12

[dependabot]

Bumps monocart-coverage-reports from 2.12.9 to 2.12.12.

Changelog

Sourced from monocart-coverage-reports's changelog.

• 2.12.12

  • refactored getEntryFilter / getSourceFilter / getFileFilter into a shared createFilterHandler factory
  • replaced .filter().forEach() chains with single loops to avoid intermediate array allocations
  • replaced .map().flat() with .flatMap() for reduced memory churn
  • fixed resolveWatermarks mutating the input defaultWatermarks object (now clones before modifying)
  • consolidated writeFileSync / writeFile directory creation into shared ensureDirSync helper
  • added lib/packages/ to eslint ignore to skip linting built vendor bundles
  • fixed minor lint warnings (unused variable assignments)
  • optimized findInRanges from O(n) linear scan to O(log n) binary search for sorted range lists
  • refactored while(true) with post-guard in fromSortedRanges to a condition-clear while (stack.length > 0)
  • renamed calculateSha1 parameter from misleading buffer to input
  • fixed mergeCssRanges O(n²) array concatenation (now O(n) with push) and removed unnecessary Promise wrapper

• 2.12.11

  • fixed child process crash when the tested code spawns a subprocess with a different cwd (NODE_OPTIONS register path is now absolute)

• 2.12.10

  • updated dependencies

Commits

• 970c489 updated version: 2.12.11 => 2.12.12
• 4d11f86 add bun issue
• 6cfc51a update docs
• 77a5292 update docs
• 273708a update css cases
• f27ba9a update deps
• 4c440d6 fixed mergeCssRanges
• 28c0d7a optimized findInRanges
• e364bf2 change log
• af7c2e0 fix performance
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Patch-level dev dependency update for coverage reporting only; no runtime or production impact.

Overview
Bumps the dev dependency monocart-coverage-reports from 2.12.9 to 2.12.12 in injected/package.json, with the lockfile updated to match (including refreshed transitive versions such as acorn-walk, console-grid, eight-colors, lz-utils, monocart-locator, and a nested foreground-child for the coverage tool).

No application or test source changes—only dependency versions used when generating merged coverage reports (e.g. via coverage-report / merge-coverage.js).

^{Reviewed by Cursor Bugbot for commit a3d568e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12
Commit	3683c873bc
Updated	June 4, 2026 at 1:35:15 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#3683c873bc0d8142cd8b8aaee12c867814741881

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "3683c873bc0d8142cd8b8aaee12c867814741881")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/monocart-coverage-reports-2.12.12
git -C submodules/content-scope-scripts checkout 3683c873bc0d8142cd8b8aaee12c867814741881

[cursor]

Web Compatibility Assessment

No findings. The diff only bumps monocart-coverage-reports in injected/package.json and updates the corresponding dev-only lockfile entries. It does not touch injected runtime code, API wrappers/shims, wrapper-utils.js, DDGProxy, feature initialization, platform entry points, or DOM/message-bridge behavior.

Security Assessment

No findings. The changed dependency is a devDependency used by injected/scripts/merge-coverage.js for coverage report generation; it is not bundled into page-world injected scripts. No captured-global usage, messaging trust boundary, origin validation, postMessage, or config-gating paths are changed.

Risk Level

Low Risk: dev-only coverage tooling patch bump with no injected runtime surface changes.

Recommendations

No blocking recommendations. I verified the updated coverage reporter still loads with npm run coverage-report --workspace=injected (exits cleanly; no coverage inputs present in this checkout).

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency risk review for monocart-coverage-reports 2.12.9 -> 2.12.12:

No confirmed dependency-specific blockers found.

Evidence reviewed:

• PR diff only updates injected/package.json and package-lock.json; the direct dependency remains devDependencies-only.
• Repo usage is limited to injected/scripts/merge-coverage.js via new CoverageReport(...).add(...).generate() and the coverage workflow. This is not bundled into shipped content-scope scripts.
• Upstream changelog for 2.12.10-2.12.12: dependency refresh, a CLI/child-process NODE_OPTIONS cwd fix, filter/watermark/refactor/performance fixes. The repo does not use custom entryFilter/sourceFilter/watermarks or the mcr child-process wrapper path in merge-coverage.js.
• Lockfile transitive changes are within the coverage reporter tree: parser/display/helper packages plus nested foreground-child@4.0.3. Its node >=16 requirement is compatible with this repo’s Node 22 environment.
• Supply-chain check: npm registry metadata for 2.12.12 has the same maintainer and MIT license, 57 files, a small unpacked-size change (~1.09 MB -> ~1.12 MB), locked integrity matching the PR, and registry signature metadata. I found no install/postinstall lifecycle path introduced for the direct package, and npm audit did not flag monocart-coverage-reports or the changed transitives. Existing audit output still reports unrelated repo vulnerabilities.

Validation run locally on the PR state:

• npm ci
• npm run build -w injected
• npm run test-unit-coverage -w injected
• npm run coverage-report -w injected

Coverage-report generation succeeded for unit coverage. Integration coverage input was absent locally, so the script skipped that directory as expected.

Uncertain / validation note:

• GitHub currently marks Unit tests (injected, windows-latest) / CI gate failed, but the fetched Windows job log reports 937 specs, 0 failures, 16 pending specs. I would re-run or inspect the CI gate before merge, but I do not see evidence tying that status to this dependency update.

No separate fix PR drafted because I did not identify a code or lockfile fix needed.

  

_{Sent by Cursor Automation: Review dependabot}