fix(deps): refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr)#230
Merged
Conversation
Consolidated dependency refresh. Branch protection on main is strict + linear-history + squash-only, so 5 separate Dependabot merges would cascade pnpm-lock.yaml rebases; folding them into one validated branch avoids that and lets the 5 Dependabot PRs (#210-214) close as superseded. Security: - Pin esbuild >=0.27.3 <0.28.1 -> 0.28.1 (first patched release) to clear GHSA-g7r4-m6w7-qqqr (LOW, dev-server path traversal, Windows). Dependabot could not auto-fix: astro pins esbuild@^0.27.3 and never widens it (security_update_not_possible). Follows the existing devalue override pattern in pnpm-workspace.yaml. Bumps (none breaking): - astro 6.4.4->6.4.6, @astrojs/starlight 0.39.3->0.40.0, starlight-page-actions 0.6.0->0.6.1, starlight-links-validator 0.24.0->0.24.1 (the 4 docs/starlight bumps + the 2 below cover all 5 open Dependabot PRs) - @aws-sdk/client-bedrock-runtime + client-sagemaker-runtime 3.1064.0->3.1068.0 - @biomejs/biome 2.4.16->2.5.0 (ran 'biome migrate': recommended->preset, schema 2.5.0), @ladybugdb/core 0.16.1->0.17.1, piscina 5.1.4->5.2.0, sharp 0.34.5->0.35.1, @types/node 25.9.2->25.9.3, commitizen 4.3.1->4.3.2 Held (require Node 24; repo is Node 22 + engine-strict): - license-checker-rseidelsohn 4->5 (needs node>=24; would break the required licenses gate's install), write-file-atomic 7->8 (narrows node floor below repo engines >=22.12.0, no benefit). Validated: build, lint, typecheck (CI-mirror), 19-package test suite (0 fail), banned-strings, license allowlist, OSV (no issues), and the astro docs build (64 pages, links valid) all pass.
This was referenced Jun 13, 2026
Merged
theagenticguy
added a commit
that referenced
this pull request
Jun 13, 2026
…c@8) + fix snyk phantom debug dep (#232) ## Summary Lifts the Node baseline to **24** and applies the two major dependency bumps that were held back in #230 solely because they require Node ≥ 24. Also addresses the `snyk-nodejs-lockfile-parser` phantom `debug` dependency surfaced by the Node 24 global-install smoke test. **BREAKING:** minimum Node is now **24.15.0** (was 22.12.0). Node 22 is dropped. `24.15.0` is the floor where both majors below install under `engine-strict=true`. ## Node 24 baseline - `engines.node` `>=22.12.0` → `>=24.15.0` across the root + all 18 packages - `mise.toml` node pin `22` → `24`; `.nvmrc` / `.node-version` `22` → `24` - `ci.yml`: both test matrices drop Node 22 (now `[24]`) - `verify-global-install.yml`: the six Node-22 legs flip to 24 (dropping the now-duplicate `linux-x64-node24-mise`), keeping every installer × OS × arch combo (mise/nvm/homebrew/volta across linux x64/arm64, macOS arm64/x64) - `README`: "Node 22 or 24" → "Node 24+" ## Held majors (unblocked by Node 24) | Package | From | To | Notes | |---|---|---|---| | license-checker-rseidelsohn | 4.4.2 | 5.0.1 | needs `node>=24`; powers the required `licenses` gate | | write-file-atomic | 7.0.1 | 8.0.0 | runtime dep in cli, ingestion, analysis, wiki | **License allowlist update (required by lcr@5):** v5 walks the tree via `@npmcli/arborist` and reports raw SPDX expressions instead of normalizing them, so it surfaces permissive licenses v4 hid. Added to all four callers (`ci.yml`, `pre-release-gate.yml`, `scripts/acceptance.sh`, `mise.toml`): - `Python-2.0` — argparse (via js-yaml); PSF, OSI-approved permissive - `CC-BY-3.0` — spdx-exceptions (a data package, not code) - `MIT OR Apache-2.0`, `(Apache-2.0 AND MIT)`, `(BSD-3-Clause AND Apache-2.0)`, `(BSD-2-Clause OR MIT OR Apache-2.0)`, `(MIT OR CC0-1.0)` — compound expressions of already-allowed licenses ## snyk phantom `debug` dependency `snyk-nodejs-lockfile-parser@2.8.0` does `require("debug")` without declaring it — it relied on npm's flat hoisting. Added a pnpm `packageExtensions` entry injecting `debug@4.4.3` into snyk's deps, which fixes resolution for `pnpm install` (the dev workspace + anyone installing from our lockfile + CI). **Honest scope note:** a bare `pnpm add -g <tarball>` global install still can't see it — global installs don't read workspace `packageExtensions`, and bundling snyk into the dist isn't viable (it does a dynamic `require("fs")` that breaks ESM bundling). The **documented and CI-tested global path is `npm install -g`**, which flat-hoists `debug` and works end-to-end. I verified `codehub analyze` of an external repo via `npm install -g` on Node 24 (7040 nodes, 17841 edges, clean). ## Validation (Node 24.16.0, mirrors required CI) | Gate | Result | |---|---| | frozen-lockfile install | ✅ no drift | | build (all packages) | ✅ | | lint (biome 2.5.0) | ✅ | | typecheck (CI-mirror) | ✅ | | test (19 packages) | ✅ 2169 tests, 0 fail | | banned-strings | ✅ | | license allowlist (lcr@5) | ✅ | | OSV scan | ✅ | | pack determinism | ✅ | | `npm install -g` → `codehub analyze` | ✅ external repo, end-to-end | 🤖 Generated with [Bonk](https://github.com/theagenticguy/opencodehub) — OpenCodeHub maintenance
theagenticguy
pushed a commit
that referenced
this pull request
Jun 13, 2026
🤖 Automated release via release-please --- <details><summary>root: 0.9.0</summary> ## [0.9.0](root-v0.8.6...root-v0.9.0) (2026-06-13) ### ⚠ BREAKING CHANGES * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ### Bug Fixes * **deps:** refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr) ([#230](#230)) ([75b687f](75b687f)) ### Chores * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ([93c90e9](93c90e9)) </details> <details><summary>cli: 0.9.0</summary> ## [0.9.0](cli-v0.8.6...cli-v0.9.0) (2026-06-13) ### ⚠ BREAKING CHANGES * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ### Bug Fixes * **deps:** refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr) ([#230](#230)) ([75b687f](75b687f)) ### Chores * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ([93c90e9](93c90e9)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidated dependency refresh that clears the open esbuild CVE and folds in all 5 open Dependabot PRs (#210–#214) plus the remaining outdated minors/patches.
Why one branch instead of merging the 5 Dependabot PRs: branch protection on
mainisstrict+ linear-history + squash-only. Merging the 5 PRs one at a time forces each survivor to rebase against a changedpnpm-lock.yamland re-run the full CI matrix — a 5-cycle cascade. Folding them into one validated branch is a single CI cycle; the Dependabot PRs then close as superseded.Security
>=0.27.3 <0.28.1→0.28.1) — clears GHSA-g7r4-m6w7-qqqr (LOW, dev-server path traversal via\on Windows). Dependabot could not auto-fix this:astropinsesbuild@^0.27.3and never widens it, so the security update returnedsecurity_update_not_possible. Override follows the existingdevaluesecurity-override pattern inpnpm-workspace.yaml. OSV scan after the bump: no issues.Bumps (none breaking)
Ran
biome migratefor the 2.5.0 bump:recommended: true→preset: "recommended", schema → 2.5.0.Held — both require Node 24; repo is Node 22 +
engine-strict=truenode >=24. Powers the requiredlicensesCI gate, which runs on Node 22 → install would fail. Hard blocker until the repo baselines to Node 24.^22.22.2, conflicting with the declaredengines.node: >=22.12.0; no functional or security benefit.Validation (local, mirrors required CI checks)
not okAfter merge
Close #210–#214 as superseded (the squash commit folds them all in). The esbuild override resolves itself when astro widens its esbuild range (likely 6.5+); revisit then.
🤖 Generated with Bonk — OpenCodeHub nightly maintenance