chore: pwt update

[r0b1n]

No description provided.

[github-actions]

AI Code Review

⚠️ Approved with suggestions — low-severity items only, safe to merge

---

What was reviewed

File	Change
package.json	Bumps @mendix/pluggable-widgets-tools 11.8.0 → 11.11.0; removes stale security overrides and patch reference
patches/@mendix__pluggable-widgets-tools.patch	Deleted — silenced SASS deprecation warnings and disabled collectCoverage; no longer needed in new PWT version
packages/pluggableWidgets/*/typings/*.d.ts (40 files)	Auto-generated import reordering (alphabetical); purely cosmetic, no logic change

Skipped (out of scope): pnpm-lock.yaml

---

Findings

Low — Empty PR body

File: PR description
Note: The PR body is empty. A brief note explaining which PWT changes motivated this update (and why the security overrides are safe to remove) would help reviewers and preserve useful context in the git history.

---

Low — Security overrides removed without confirmation

File: package.json (removed override block)
Note: The following security-motivated overrides were deleted: decode-uri-component, json5@0.x, json5@1.x, loader-utils@1, loader-utils@3, minimatch@3. Before merging, confirm that PWT 11.11.0 bundles non-vulnerable versions of these packages, or that they are no longer transitively included. Running pnpm audit is a quick check.

---

Low — CI check status unknown

Note: CI check results were not available during this automated review. Please verify all checks pass (build, lint, unit tests) before merging, particularly given the Rollup 3 to 4 major version transition flowing through the updated PWT.

---

Positives

• Deleting the local patch is the right call — patching upstream tooling is maintenance debt, and absorbing the SASS deprecation silence and collectCoverage fix into PWT proper is the correct long-term approach.
• The Rollup 3 to 4 major version upgrade is absorbed entirely within PWT with no changes to individual widget configs — clean upgrade boundary.
• Import reordering in generated typings/ files is consistently alphabetical across all 40 widgets, confirming the generator works correctly with the new PWT version.

[github-actions]

AI Code Review

⚠️ Approved with suggestions — low-severity items only, safe to merge

---

What was reviewed

File	Change
package.json	Bumped @mendix/pluggable-widgets-tools from 11.8.0 → 11.11.0; removed stale pnpm.overrides entries (enzyme, jest, rollup, ts-node, etc.)
patches/@mendix__pluggable-widgets-tools.patch	Deleted — the two patches it contained (SASS legacy-JS-API silencing and collectCoverage comment-out) are no longer needed with 11.11.0
packages/pluggableWidgets/*/typings/*.d.ts (40+ files)	Generated typings regenerated by the new tooling version — import order normalised, no logic changes
packages/pluggableWidgets/**/__snapshots__/*.snap (40+ files)	Snapshot header URL updated from goo.gl/fbAQLP → jestjs.io/docs/snapshot-testing — cosmetic only
pnpm-lock.yaml	Lockfile updated to reflect new dependency resolutions

Skipped (out of scope): dist/, pnpm-lock.yaml (reviewed only the override-related diff sections above)

---

Findings

⚠️ Low — collectCoverage was silently disabled in the patch; confirm intent before deleting it

File: patches/@mendix__pluggable-widgets-tools.patch (deleted)
Note: The deleted patch commented out collectCoverage: !process.env.CI in test-config/jest.config.js. If 11.11.0 ships collectCoverage enabled again in CI, unit-test runs may become significantly slower. Verify the new default in 11.11.0's test-config/jest.config.js and confirm the team is happy with whatever the new behaviour is before merging.

---

⚠️ Low — Removed security-advisory overrides for packages that may still be transitive dependencies

File: package.json lines 69–81 (deleted block)
Note: Several overrides were removed that previously forced minimum safe versions of known-vulnerable packages (decode-uri-component, json5, loader-utils, minimatch). If any of these packages are still pulled in transitively by surviving dependencies, their vulnerability advisories re-open. It is worth running pnpm audit after merge to confirm no high/critical advisories resurface.

---

Positives

• Removing the patch file is the right call — patching upstream tooling is fragile and 11.11.0 absorbing those fixes upstream is a clean upgrade path.
• The generated-file changes (typings/, __snapshots__) are exactly what a tooling bump should produce — no hand-edited generated files.
• Stale pnpm.overrides for packages no longer pulled transitively (enzyme, old rollup pin, ts-node pin) were pruned correctly, reducing override noise.
• Snyk security checks are passing ✅, and the SHA-pinning workflow check is green ✅.

CI status at time of review: Build, Snyk, and label checks passed or are in progress; E2E matrix jobs are still running. Recommend waiting for all E2E jobs to complete before merging given the broad tooling change.