misc: group napi crates in renovate; update

[tangowithfoxtrot]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/SM-1708

📔 Objective

This was originally a Renovate PR, but I wanted to see if we could group these dependencies together in our Renovate config so they didn't break every time they updated out-of-sync.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 9975fe6b-457e-4807-aa5a-426eab9925bb

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.35%. Comparing base (99d4330) to head (6223172).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1393      +/-   ##
==========================================
+ Coverage   15.34%   15.35%   +0.01%     
==========================================
  Files          21       21              
  Lines        1199     1198       -1     
==========================================
  Hits          184      184              
+ Misses       1015     1014       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @tangowithfoxtrot's task —— View job

---

Code Review Complete

Tasks

• Analyze PR changes with bitwarden-code-reviewer
• Review security implications of NAPI crate updates
• Verify renovate configuration changes
• Check binding file changes for correctness
• Provide comprehensive review feedback

---

Code Review: Update NAPI Packages

Overall Assessment: 👍 APPROVE

Reviewed dependency updates from napi v2 to v3, renovate configuration changes, and auto-generated binding files across 7 files.

---

Summary

This PR performs a major version upgrade of the NAPI ecosystem from v2 to v3, updating:

• Rust crates: napi (2.16.17 → 3.6.1), napi-derive (2.16.13 → 3.4.0), napi-build (updated to 2.3.1)
• NPM package: @napi-rs/cli (2.18.4 → 3.0.0)
• Renovate config: Groups NAPI dependencies for coordinated updates
• Generated files: Updated binding.js (593 lines), binding.d.ts, and package-lock.json

The changes are primarily automated code generation from the NAPI toolchain with no manual Rust source modifications, indicating a clean upgrade path.

---

Detailed Analysis

1. Security & Dependency Updates

Renovate Configuration (.github/renovate.json):

• 👍 The new grouping rule correctly matches both Cargo and npm NAPI packages, ensuring coordinated updates across the polyglot ecosystem
• 👍 Includes all relevant NAPI packages: napi, napi-derive, napi-build, napi-derive-backend, napi-sys, @napi-rs/cli
• 👍 Does not restrict update types, allowing major/minor/patch updates to be grouped (appropriate for tightly coupled ecosystem)

Dependency Versions:

• Major version jumps (2.x → 3.x) are substantial but expected for NAPI's evolution
• No new transitive dependencies introduce obvious security concerns
• All dependencies come from official napi-rs organization

2. Breaking Changes Assessment

TypeScript Definitions (crates/bitwarden-napi/binding.d.ts):

• 👍 API surface remains identical - BitwardenClient constructor and runCommand method unchanged
• 👍 LogLevel enum values unchanged (Trace=0, Debug=1, Info=2, Warn=3, Error=4)
• Cosmetic changes only: reordering of declarations, removal of tslint:disable, adding @ts-nocheck

Module Loading (crates/bitwarden-napi/binding.js):

• 👍 Enhanced error handling - collects all load errors instead of failing on first error
• 👍 Better musl detection with multiple fallback strategies
• 👍 Added support for OpenHarmony platform and s390x architecture
• 👍 Improved error messages with npm bug reference (issue 4828)
• 👍 Introduces NAPI_RS_NATIVE_LIBRARY_PATH environment variable for custom native library paths
• 👍 Module exports remain backward compatible: module.exports.BitwardenClient and module.exports.LogLevel preserved

No Rust Source Changes:

• src/lib.rs and src/client.rs unchanged - confirms this is purely a tooling upgrade
• Build script (build.rs) unchanged - same napi_build::setup() call works with v3

3. Generated Code Quality

The 593-line change in binding.js represents improved code generation:

• More robust platform detection
• Better error aggregation
• Cleaner separation of concerns (multiple detection functions)
• Modern Node.js APIs (node:fs, node:module prefixes)

4. Potential Issues

Minor Observations (not blocking):

1. 📝 package-lock.json growth: +1994 lines represents significant dependency tree expansion. This is expected with major version updates but should be monitored for build time impact.

2. ℹ️ No version constraint: The renovate rule doesn't specify matchUpdateTypes, meaning major updates will be auto-grouped. This is intentional (as seen in the pyo3 rule which explicitly sets minor, patch), but means NAPI v4 updates will also auto-group when released.

3. 🤔 Missing test verification: No test files modified or test runs shown, though the clean Rust code (no source changes) suggests compatibility.

5. Code Quality & Best Practices

Good Practices Observed:

• Proper commit message convention: chore:, misc:, fix: prefixes
• Logical commit sequence: (1) group packages, (2) update crates, (3) update bindings, (4) group npm deps, (5) format
• Separated concerns: renovate config separate from dependency updates
• Auto-generated code properly flagged with comments

---

Verification Recommendations

While the CI checks have passed, the development team should verify:

1. Build verification: npm run build --prefix crates/bitwarden-napi succeeds on all target platforms
2. Runtime compatibility: Existing Node.js integrations continue working without changes
3. Cross-platform: Test on Linux (glibc + musl), macOS (x64 + arm64), and Windows
4. CI/CD: Ensure release workflows handle new binding structure

---

Conclusion

This is a well-executed dependency update with:

• No breaking API changes
• Improved error handling and platform support
• Proper dependency grouping for future maintenance
• Clean separation of generated code from source

The changes follow NAPI-RS best practices and maintain backward compatibility while modernizing the toolchain.

---