Skip to content

Chore(deps-dev): Bump the npm-root group with 9 updates#237

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/npm-root-dd79dbcc37
Open

Chore(deps-dev): Bump the npm-root group with 9 updates#237
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/npm-root-dd79dbcc37

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Note

This branch carries two follow-up commits on top of the dependabot bump so the upgrade lands cleanly. Details below; the original dependabot summary is preserved further down.

Additional changes in this branch

The raw bump was not mergeable as-is: jscpd v4 → v5 is a full Rust rewrite with breaking changes that break our duplication tooling and would red the CI jscpd-regression jobs. Two commits address that.

fix(tooling): make jscpd runners v5-compatible and exclude Effort/Scripts50a101c3

  • Entry path moved. v5 dropped node_modules/jscpd/bin/jscpd (entry is now run-jscpd.js). All three runners hardcoded the old path, so npm run audit:dupes and both CI jscpd-regression jobs would fail. Added scripts/lib/jscpd-entry.js to resolve the CLI from the package manifest (version-agnostic).
  • Clone-report format changed. v5 emits scan-dir-relative paths with a :html/:typescript suffix on Vue SFC blocks. Fixed the pre-commit clone filter in scripts/lint-staged-jscpd.js, which was otherwise silently matching nothing, plus a guard against malformed entries.
  • Scope exclusion. .jscpd.json now ignores web/Areas/Effort/Scripts/** (one-off DB migration/deploy scripts), dropping C# clones from 88 to 60 signal.
  • Lint config. .oxlintrc.json disables no-implicit-globals and node/no-sync for scripts/** (both false-positives for CommonJS build scripts; the alternative .cjs migration was deemed out of scope for a dependency bump).

fix(deps): patch brace-expansion and js-yaml DoS advisoriese2347303

npm audit fix for two moderate, transitive, dev-only advisories surfaced during review:

Lockfile-only; npm audit now reports 0 vulnerabilities.

Reviewer notes

  • All 9 bumps passed a supply-chain review: 7-day age gate (9-26 days), no install hooks, native binaries delivered via optionalDependencies, no direct advisories. jscpd is the only bump needing code adaptation, handled here.
  • Verified end-to-end: npm run audit:dupes (vue 53 / csharp 60 clones), the CI regression --save/--check round-trip (+0 delta), and the full pre-commit gate (build + lint + tests + verify:build) all pass.

Original dependabot summary below.

Bumps the npm-root group with 9 updates:

Package From To
@double-great/stylelint-a11y 3.4.14 3.4.15
eslint 10.4.0 10.5.0
eslint-plugin-security 4.0.0 4.0.1
fallow 2.101.0 2.102.0
jscpd 4.2.4 5.0.10
oxfmt 0.52.0 0.56.0
oxlint 1.67.0 1.71.0
stylelint 17.12.0 17.13.0
yauzl 3.3.1 3.4.0

Updates @double-great/stylelint-a11y from 3.4.14 to 3.4.15

Release notes

Sourced from @​double-great/stylelint-a11y's releases.

v3.4.15

What's Changed

Full Changelog: double-great/stylelint-a11y@v3.4.14...v3.4.15

Commits

Updates eslint from 10.4.0 to 10.5.0

Release notes

Sourced from eslint's releases.

v10.5.0

Features

  • 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)
  • b565783 feat: report no-with violations at the with keyword (#20971) (Pixel998)
  • 2ce032f feat: report max-lines-per-function violations at function head (#20966) (Pixel998)
  • 732cb3e feat: report max-nested-callbacks violations at function head (#20967) (Pixel998)
  • f9c138a feat: report max-depth violations on keywords (#20943) (Pixel998)
  • bdb496c feat: correct max-depth handling for else-if chains (#20944) (Pixel998)
  • c296873 feat: update error loc in max-statements to function header (#20907) (Taejin Kim)

Documentation

  • 8ae1b5b docs: Update README (GitHub Actions Bot)
  • ca7eb90 docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)
  • f99b47a docs: Update README (GitHub Actions Bot)
  • acf03d4 docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)

Chores

  • b18bf58 chore: update ecosystem plugins (#20959) (ESLint Bot)
  • c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)
  • 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)
  • 217b2a9 test: add unit tests for ParserService (#20949) (Taejin Kim)
  • 72003e7 test: add location information to error messages in max-statements (#20945) (lumir)
  • 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)
  • 67c46fa chore: update ecosystem plugins (#20938) (ESLint Bot)
  • 95d8c7a chore: update dependency @​eslint/json to v2 (#20934) (renovate[bot])
  • cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)
  • fb6d396 test: run type tests with TypeScript 7 (#20868) (sethamus)

v10.4.1

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

  • b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
  • f78838b test: add CodePath type coverage (#20904) (Pixel998)
  • 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
  • 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
  • 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)

... (truncated)

Commits

Updates eslint-plugin-security from 4.0.0 to 4.0.1

Release notes

Sourced from eslint-plugin-security's releases.

eslint-plugin-security: v4.0.1

4.0.1 (2026-06-12)

Bug Fixes

  • treat import.meta.dirname and import.meta.filename as static (#200) (74c97bb)
Changelog

Sourced from eslint-plugin-security's changelog.

4.0.1 (2026-06-12)

Bug Fixes

  • treat import.meta.dirname and import.meta.filename as static (#200) (74c97bb)
Commits
  • cb8645c chore: release 4.0.1 🚀 (#204)
  • 74c97bb fix: treat import.meta.dirname and import.meta.filename as static (#200)
  • 0b45f82 chore(deps-dev): bump shell-quote from 1.7.4 to 1.8.4 (#202)
  • 954149a chore(deps-dev): bump handlebars from 4.7.7 to 4.7.9 (#198)
  • d5012b6 chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 (#197)
  • b53d8b4 chore(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#196)
  • 7876750 chore(deps): bump minimatch (#194)
  • See full diff in compare view

Updates fallow from 2.101.0 to 2.102.0

Release notes

Sourced from fallow's releases.

v2.102.0: code review brief, decision surface, and symbol-level trace

Code review for changed code

This release adds a toolkit for reviewing changed code, designed for both human reviewers and AI agents.

Review brief (fallow review, or fallow audit --brief)

A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief.

Decision surface (fallow decision-surface and the decision_surface MCP tool)

Surfaces the consequential structural decisions a change embeds: a ranked, capped (3 to 5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. It is separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

Symbol-level call chains (fallow trace <FILE:SYMBOL>)

Walks callers up (modules that import the symbol) and callees down (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). Use --callers / --callees to scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped.

fallow trace src/utils.ts:formatDate

Agent-contract walkthrough loop

For agents that review changed code, fallow audit --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. The agent produces judgment JSON and reopens with --walkthrough-file, which post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the snapshot hash no longer matches. The verifier is the graph, not a second model. Both flags always exit 0.

A weighted focus map ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands it (the deprioritized list is always present in --format json).

Framework health

  • Astro framework-health detection. .astro components now participate in the same health suite as Vue/Svelte/Angular/React: a reachable component rendered in no template surfaces as unrendered-component, an interface Props field read nowhere surfaces as unused-component-prop, and fallow health now scores .astro complexity. A zero-false-positive abstain ladder protects public surfaces. No new rules or severities.
  • Lit / web-component framework-health detection. A custom element registered via @customElement / customElements.define but rendered as a tag in no html template surfaces as unrendered-component, and a @state() reactive property read nowhere surfaces as unused-class-member. @property (the public attribute API) is never flagged. Gated on a lit / lit-element / @lit/reactive-element dependency.
  • Deeper React prop coverage for unused-component-prop. The React arm now harvests props from same-file typed interfaces and generic forwardRef components, not only inline destructure, while still abstaining on imported prop interfaces and exported public-API components.

Editor

  • React component intelligence. The LSP surfaces ambient React/Preact context with no new rule, finding, or severity. A code lens above each component summarizes render count, props, and hooks; a per-prop hover shows where a prop is read and passed from; a forwarded prop shows its forwarding chain. Editor-only context: fallow / audit / --format json output is unchanged.
  • VS Code: clearer tree badges, hardened health spawn, and de-duplicated diagnostics.

Security

  • LLM-call prompt-injection candidate. A new llm-call-injection category (CWE-1427) in the fallow security tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint path into the call, not every LLM call). Like all fallow security output it is a candidate for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

Fixed

  • Merged namespace values imported through star barrels are no longer falsely reported as unused. A value export sharing its name with an export declare namespace and consumed through export * now receives the same named-import credit as a direct import. Thanks @​TeoVezza95 for the report. (#1373)
  • VS Code now resolves the native fallow binary from platform packages when the binary is reached through a .cmd / .ps1 launcher shim on PATH, so LSP-backed diagnostics start reliably. Thanks @​ivan-palatov for the report. (#1359)
  • TanStack Router: custom routeFileIgnorePrefix is honored, so files using a configured ignore prefix are no longer flagged as dead code. Thanks @​Spiralis for the report. (#1358)
  • fallow audit base-snapshot worktree paths are unique per call, so concurrent audit runs no longer collide.
  • More precise telemetry failure classification when telemetry is enabled.
  • Vendored GitLab CI now bundles gitlab_common.sh, so fallow ci-template gitlab --vendor pipelines run without reaching out to raw.githubusercontent.com.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.102.0] - 2026-06-23

Added

  • Code review brief (fallow review, or fallow audit --brief). A new advisory orientation mode over changed code. It runs the same dead-code + complexity + duplication analysis as fallow audit but answers "where do I look?" instead of "will CI block this?": it ALWAYS exits 0 (the verdict is carried informationally), so a reviewer or agent can read it regardless of the gate outcome. The brief renders a ranked decision surface, a weighted focus map, and change-impact context. --format is orthogonal to --brief. fallow review is an alias for fallow audit --brief.

  • fallow decision-surface command and decision_surface MCP tool. Surfaces the consequential structural decisions a change embeds (the apex of the review brief): a ranked, capped (3-5) set of coupling/boundary, public-API/contract, and dependency decisions, each framed as a judgment question with the routed expert to ask. Each decision carries an honest count of how many internal consumers it affects plus an explicit trade-off clause, so the reader sees the cost as well as the call. Separable and cheap, advisory (always exits 0), and every decision is suppressible with // fallow-ignore. Use --base / --changed-since to pick the comparison point, exactly like fallow audit.

  • fallow trace <FILE:SYMBOL> symbol-level call chains. Walks callers UP (modules that import the symbol) and callees DOWN (import-symbol edges plus intra-module call sites) through the module graph, bounded by --depth (default 2). --callers / --callees scope the direction; both are walked by default. Best-effort and syntactic per ADR-001: resolved-vs-unresolved callees are reported honestly, never silently dropped. It is its own surface, never folded into the ranked review brief.

  • Agent-contract walkthrough loop (--walkthrough-guide / --walkthrough-file). --walkthrough-guide emits a deterministic digest (the brief, the decision surface, the review direction, the JSON schema the agent must return, and a graph-snapshot hash) built from the graph only, so PR prose is never folded in and the digest is injection-resistant. --walkthrough-file ingests an agent's judgment JSON and post-validates it against the LIVE graph: it rejects any judgment whose signal_id fallow did not emit (anti-hallucination) and refuses the whole payload as stale when the echoed graph-snapshot hash no longer matches. The verifier is the graph, not a second model. Both imply the brief and always exit 0.

  • Weighted focus map with a de-prioritized escape hatch. The review brief ranks changed units by review weight and collapses the de-prioritized tail by default; --show-deprioritized re-expands the human render. The deprioritized list is always present in --format json regardless of the flag.

  • LLM-call prompt-injection candidate (fallow security). A new llm-call-injection category (CWE-1427) in the tainted-sink catalogue. It fires only when an untrusted source flows into the prompt/messages argument of a known LLM-call sink (a taint PATH into the call, not every LLM call), pinned to the distinctive LLM SDK call shapes. Like all fallow security output it is a CANDIDATE for verification, not a verified vulnerability, and never appears under bare fallow or the audit gate.

... (truncated)

Commits
  • 8a83dc0 chore: release v2.102.0
  • b5e53b5 fix(dead-code): credit merged namespace star re-export values
  • e890fbe chore(deps): bump napi from 3.9.0 to 3.9.2 (#1381)
  • 2238983 chore(deps): bump insta from 1.47.2 to 1.48.0 (#1380)
  • 4059812 chore(deps-dev): bump oxfmt from 0.54.0 to 0.55.0 (#1378)
  • 01e2813 chore(deps): bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5 (#1375)
  • eb55b34 chore(deps-dev): bump @​tanstack/intent in /npm/fallow (#1376)
  • 7b8c570 chore(deps-dev): bump oxlint from 1.69.0 to 1.70.0 (#1377)
  • e585f05 refactor(review-app): namespace persisted state under fallow-review instead o...
  • 0ffd4ca test(unused-members): cover issue-844 typed-instance crediting at monorepo pa...
  • Additional commits viewable in compare view

Updates jscpd from 4.2.4 to 5.0.10

Release notes

Sourced from jscpd's releases.

Release v5.0.10

cpd (Rust) v5.0.10

Bug Fixes

  • Emit scan-root-relative paths in all reporters when absolute: false (or the default). Previously, jscpd /abs/path from a different CWD left absolute paths in SARIF/JSON/XML/HTML/CSV/Markdown/console output, and Windows/macOS path canonicalization could leave \\?\ or ./ prefixes. Paths are now normalized against the canonicalized scan root (with CWD fallback) and stripped of any leading ./ or .\\ component. Fixes #827
  • Fix --skip-local to match jscpd v4 TypeScript semantics: it now filters clones where both fragments are under the same scan root, instead of only skipping clones in the same parent directory

Refactoring

  • DRY duplication in reporters: extract shared helpers (print_clone_header, print_clone_locations, print_snippet, write_report_file, report statistics, test fixtures, etc.) into cpd-reporter/src/shared.rs. Console, console-full, CSV, JSON, HTML, Markdown, silent, XML, and SARIF reporters now reuse the same implementation, reducing the monorepo's reported duplication ratio from 5.0% to 0.56% and fixing a latent --absolute path relativization bug in the same pass
  • Move blame enrichment from gitoxide to git blame --porcelain; capture elapsed time after blame so timing includes blame work
  • Resolve needless_borrow clippy warnings in CSV and Markdown reporters

Documentation

  • Add Nix and Homebrew install instructions to Rust READMEs. #818
  • Update project homepage URLs to https://jscpd.dev in all Cargo.toml and npm package.json files, add curl install method to READMEs, clean up outdated badges
  • Remove defunct Universal Analytics tracking pixels from all READMEs

Published Packages

  • cpd-core@0.1.5 on crates.io
  • cpd-finder@0.1.8 on crates.io
  • cpd-reporter@0.1.7 on crates.io
  • cpd-tokenizer@0.1.6 on crates.io
  • jscpd@5.0.10 on crates.io
  • cpd@5.0.10 on npm
  • jscpd@5.0.10 on npm
  • cpd-darwin-arm64@5.0.10 on npm
  • cpd-darwin-x64@5.0.10 on npm
  • cpd-linux-x64-gnu@5.0.10 on npm
  • cpd-linux-arm64-gnu@5.0.10 on npm
  • cpd-linux-x64-musl@5.0.10 on npm
  • cpd-windows-x64-msvc@5.0.10 on npm

Install

npm install -g cpd
# or
npm install -g jscpd
# or
cargo install jscpd

v5.0.9

New Features

  • GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

... (truncated)

Changelog

Sourced from jscpd's changelog.

5.0.10

Bug Fixes

  • Emit scan-root-relative paths in all reporters when absolute: false. Fixes #827
  • Fix --skip-local to match jscpd v4 TypeScript semantics

Refactoring

  • DRY duplication in reporters: extract shared helpers into cpd-reporter/src/shared.rs
  • Move blame enrichment from gitoxide to git blame --porcelain

5.0.9

New Features

  • GitHub Action for jscpd (Rust v5) — jscpd-copy-paste-detector action for GitHub Actions Marketplace. Scan your repo for copy/paste in CI with uses: kucherenko/jscpd/.github/workflows/action.yml@v5

Bug Fixes

  • Resolve platform binary resolution when cpd is installed as a nested dependency (e.g. in a project's node_modules via a parent package). The runner now correctly locates the platform-specific binary relative to the installed package rather than assuming a top-level install. Fixes #816

5.0.8

Bug Fixes

  • Prevent mmap exhaustion crashes when scanning repositories with more files than vm.max_map_count (default 131 072 on Linux). The walker previously held a live Mmap per discovered file; each rayon worker now opens and drops its mapping within the processing closure, capping concurrent mappings to the thread-pool size (typically 8–32). Fixes #813
  • Fix --pattern not matching relative paths when the scan root is absolute (e.g. CWD). Patterns like src/**/*.ts now match correctly by comparing against both the relative path and the full absolute path, and bare patterns like *.ts gain a **/ prefix to match at any depth. Fixes #811
  • Fix trailing-newline off-by-one in line-count filter: files not ending with \n now count the final line correctly

5.0.7

Bug Fixes

  • Prevent stack overflow when scanning directories containing deeply-nested JS/TS files (e.g. Bun's test/bundler with 320K+ nested for-loops). OXC's recursive-descent parser allocates one stack frame per AST nesting level; pathological inputs now exceed the default 8 MiB thread stack. Fixed by building a local rayon ThreadPool with 64 MiB stacks instead of using the global pool (which silently fails on re-init)
  • Default --max-size to 1mb — files exceeding the limit are skipped at walk time, consistent with jscpd v4's maxSize behavior. This prevents OXC from ever seeing megabyte-scale generated files that would overflow the stack
  • --workers N now correctly takes effect on every run() call (previously build_global() silently no-op'd after the first invocation)

5.0.6

New Features

... (truncated)

Commits

Updates oxfmt from 0.52.0 to 0.56.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

[0.55.0] - 2026-06-15

🚀 Features

  • 9a2788b linter/unicorn: Implement prefer-export-from rule (#22935) (AliceLanniste)

[0.54.0] - 2026-06-08

📚 Documentation

  • dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (#22965) (Boshen)
  • f88961a oxfmt: Annotate each config option with supported languages (#22953) (leaysgur)
Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
  • 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
  • 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
  • dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
  • f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
  • 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
  • See full diff in compare view

Updates oxlint from 1.67.0 to 1.71.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.71.0] - 2026-06-22

🚀 Features

  • 0dc2405 linter: Add schema for eslint/no-restricted-properties (#23619) (Sysix)
  • b638d0e linter: Add schema for node/callback-return (#23615) (Sysix)
  • eb8bedc linter: Add schema for import/extensions (#23557) (WaterWhisperer)
  • 46f3625 linter: Implement node/no-sync rule (#23589) (fujitani sora)
  • b01739a linter: Add schema for unicorn/numeric-separators-style (#23554) (Mikhail Baev)
  • 68afd2a linter/node: Implement no-mixed-requires rule (#23539) (fujitani sora)
  • a421215 linter: Add schema for eslint/prefer-destructuring (#23410) (WaterWhisperer)
  • 84438be linter/jsdoc: Added missing options to require-param-description (#23416) (kapobajza)
  • 51910df linter/jsdoc: Add missing options to require-param-type rule (#23418) (kapobajza)
  • e90925f linter/unicorn: Implement prefer-number-coercion rule (#23497) (Shekhu☺️)
  • dd1c866 linter/vue: Implement no-async-in-computed-properties rule (#23493) (bab)
  • b02444e linter: Add schema for react/jsx-no-script-url (#23475) (WaterWhisperer)
  • a8dce46 linter/unicorn: Implement max-nested-calls rule (#23461) (arieleli01212)

🐛 Bug Fixes

  • a303c23 linter/jsx-a11y: Align anchor-is-valid config with upstream (#23446) (camc314)

📚 Documentation

  • b50bf4d linter: Remove manually written options doc for eslint/arrow-body-style (#23490) (Mikhail Baev)

[1.70.0] - 2026-06-15

🚀 Features

  • 2e8bda4 linter/vue: Implement no-dupe-keys rule (#23350) (bab)
  • 1490a0a linter/react: Implement react-compiler rule (#23202) (Boshen)
  • dd560ae linter/unicorn: Implement no-array-fill-with-reference-type rule (#23397) (Mikhail Baev)
  • af36c2f linter: Add schema for react/jsx-curly-brace-presence (#23400) (WaterWhisperer)
  • 47d34a3 linter: Add schema for react/jsx-handler-names (#23393) (WaterWhisperer)
  • f4250d0 linter: Add schema for unicorn/import-style (#23386) (WaterWhisperer)
  • 30c74ce linter: Add schema for jsx_a11y/no-noninteractive-element-to-interactive-role (#23384) (Sysix)
  • cfbe8dc linter: Add schema for jsx_a11y/no-interactive-element-to-noninteractive-role (#23382) (WaterWhisperer)
  • d15b7ff linter: Add schema for typescript/no-restricted-types (#23381) (WaterWhisperer)
  • 028a811 linter: Add schema for jsx-a11y/media-has-caption (#23377) (Sysix)
  • b3b1038 linter: Add schema for jsx-a11y/label-has-associated-control (#23376) (Sysix)
  • 7ada6b2 linter: Add schema for jsx_a11y/no-distracting-elements (#23379) (WaterWhisperer)
  • ee3dd49 linter: Add schema for jsx-a11y/img-redundant-alt (#23374) (Sysix)
  • df5f8dd linter: Add short descriptions to most lint rules. (#23365) (Connor Shea)
  • e3fd735 linter: Add schema for jsx_a11y/alt-text (#23369) (Sysix)
  • 0f2fff4 linter: Add schema for react/exhaustive-deps (#23372) (Mikhail Baev)
  • e3e4e10 linter: Add schema for react_perf/jsx-no-new-object-as-prop (#23368) (Mikhail Baev)
  • 9366d44 linter: Add schema for unicorn/prefer-at (#23366) (WaterWhisperer)
  • f57b55d linter: Add schema for typescript/array-type (#23355) (Sysix)
  • 0dcf912 linter: Add schema for typescript/ban-ts-comment (#23354) (Sysix)

... (truncated)

Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • 0dc2405 feat(linter): add schema for eslint/no-restricted-properties (#23619)
  • b638d0e feat(linter): add schema for node/callback-return (#23615)
  • 6d355ab refactor(linter): remove number_as_object_schema helper (#23614)
  • eb8bedc feat(linter): add schema for import/extensions (#23557)
  • 46f3625 feat(linter): implement node/no-sync rule (#23589)
  • 953c7b3 refactor(linter): make unicorn/numeric-separators-style options u32 (#23558)
  • b01739a feat(linter): add schema for unicorn/numeric-separators-style (#23554)
  • 68afd2a feat(linter/node): implement no-mixed-requires rule (#23539)
  • b08e9f5 refactor(linter): re-enable schema for `jsx_a11y/no-noninteractive-element-in...
  • Additional commits viewable in compare view

Updates stylelint from 17.12.0 to 17.13.0

Release notes

Sourced from stylelint's releases.

17.13.0

It fixes 3 bugs, including a false negative one.

  • Fixed: declaration-block-no-duplicate-properties false negatives for interleaved non-consecutive duplicates with ignore: ["consecutive-duplicates(-*)"] (#9324) (@​sarathfrancis90).
  • Fixed: selector-max-type false positives for nested selectors (#9319) (@​romainmenke).
  • Fixed: selector-type-no-unknown false positives for install (#9308) (@​Mouvedia).
Changelog

Sourced from stylelint's changelog.

17.13.0 - 2026-06-06

It fixes 3 bugs, including a false negative one.

  • Fixed: declaration-block-no-duplicate-properties false negatives for interleaved non-consecutive duplicates with ignore: ["consecutive-duplicates(-*)"] (#9324) (@​sarathfrancis90).
  • Fixed: selector-max-type false positives for nested selectors (#9319) (@​romainmenke).
  • Fixed: selector-type-no-unknown false positives for install (#9308) (@​Mouvedia).
Commits
  • 7fcee2b Release 17.13.0 (#9342)
  • 3b7287b Refactor to reuse shared utilities (#9337)
  • 8e889c3 Bump lint-staged from 17.0.4 to 17.0.5 (#9334)
  • a74aab4 Bump the stylelint-actions group with 5 updates (#9333)
  • 74c6448 Fix declaration-block-no-duplicate-properties false negatives for interleav...
  • 1cd26ac Skip changeset verification on fork PRs CI (#9331)

Bumps the npm-root group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [@double-great/stylelint-a11y](https://github.com/double-great/stylelint-a11y) | `3.4.14` | `3.4.15` |
| [eslint](https://github.com/eslint/eslint) | `10.4.0` | `10.5.0` |
| [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) | `4.0.0` | `4.0.1` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.101.0` | `2.102.0` |
| [jscpd](https://github.com/kucherenko/jscpd/tree/HEAD/rust/jscpd) | `4.2.4` | `5.0.10` |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.52.0` | `0.56.0` |
| [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.67.0` | `1.71.0` |
| [stylelint](https://github.com/stylelint/stylelint) | `17.12.0` | `17.13.0` |
| [yauzl](https://github.com/thejoshwolfe/yauzl) | `3.3.1` | `3.4.0` |


Updates `@double-great/stylelint-a11y` from 3.4.14 to 3.4.15
- [Release notes](https://github.com/double-great/stylelint-a11y/releases)
- [Changelog](https://github.com/double-great/stylelint-a11y/blob/main/CHANGELOG.md)
- [Commits](double-great/stylelint-a11y@v3.4.14...v3.4.15)

Updates `eslint` from 10.4.0 to 10.5.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.4.0...v10.5.0)

Updates `eslint-plugin-security` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/eslint-community/eslint-plugin-security/releases)
- [Changelog](https://github.com/eslint-community/eslint-plugin-security/blob/main/CHANGELOG.md)
- [Commits](eslint-community/eslint-plugin-security@eslint-plugin-security-v4.0.0...eslint-plugin-security-v4.0.1)

Updates `fallow` from 2.101.0 to 2.102.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.101.0...v2.102.0)

Updates `jscpd` from 4.2.4 to 5.0.10
- [Release notes](https://github.com/kucherenko/jscpd/releases)
- [Changelog](https://github.com/kucherenko/jscpd/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kucherenko/jscpd/commits/v5.0.10/rust/jscpd)

Updates `oxfmt` from 0.52.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `oxlint` from 1.67.0 to 1.71.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.71.0/npm/oxlint)

Updates `stylelint` from 17.12.0 to 17.13.0
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/main/CHANGELOG.md)
- [Commits](stylelint/stylelint@17.12.0...17.13.0)

Updates `yauzl` from 3.3.1 to 3.4.0
- [Commits](thejoshwolfe/yauzl@3.3.1...3.4.0)

---
updated-dependencies:
- dependency-name: "@double-great/stylelint-a11y"
  dependency-version: 3.4.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-root
- dependency-name: eslint
  dependency-version: 10.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
- dependency-name: eslint-plugin-security
  dependency-version: 4.0.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-root
- dependency-name: fallow
  dependency-version: 2.102.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
- dependency-name: jscpd
  dependency-version: 5.0.10
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-root
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
- dependency-name: oxlint
  dependency-version: 1.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
- dependency-name: stylelint
  dependency-version: 17.13.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
- dependency-name: yauzl
  dependency-version: 3.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-root
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 1, 2026
rlorenzo added 2 commits July 2, 2026 00:38
…ipts

- Resolve jscpd entry from the package manifest (v5 dropped bin/jscpd)
- Fix pre-commit clone filter for v5 scan-dir-relative :subformat paths
- Exclude Effort/Scripts one-off deploy scripts from duplication scans
- Disable no-implicit-globals/no-sync for scripts/** (CommonJS build scripts)
- brace-expansion 5.0.5 -> 5.0.6 (GHSA-jxxr-4gwj-5jf2, via eslint>minimatch)
- js-yaml 4.1.1 -> 4.2.0 (GHSA-h67p-54hq-rp68, via stylelint>cosmiconfig)

Lockfile-only npm audit fix; both transitive and dev-only. Audit now clean.
@codecov-commenter

Copy link
Copy Markdown

Bundle Report

Changes will increase total bundle size by 799 bytes (0.04%) ⬆️. This is within the configured threshold ✅

Detailed changes
Bundle name Size Change
viper-frontend-esm 2.12MB 799 bytes (0.04%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: viper-frontend-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
assets/schedule-*.js 671 bytes 49.72kB 1.37%
assets/ClinicianScheduleView-*.js 42 bytes 18.91kB 0.22%
assets/ClinicalSchedulerHome-*.js 86 bytes 3.47kB 2.54%

@codecov-commenter

codecov-commenter commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.65%. Comparing base (ae61c44) to head (e234730).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #237      +/-   ##
==========================================
+ Coverage   44.58%   44.65%   +0.06%     
==========================================
  Files         896      897       +1     
  Lines       51733    51890     +157     
  Branches     4834     4868      +34     
==========================================
+ Hits        23063    23169     +106     
- Misses      28098    28141      +43     
- Partials      572      580       +8     
Flag Coverage Δ
backend 44.71% <ø> (+0.02%) ⬆️
frontend 43.41% <ø> (+1.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repo’s root npm dev-tooling dependencies (lint/format/duplication/security tooling) and adjusts internal scripts/config to remain compatible with the upgraded toolchain—most notably the jscpd v5 CLI entrypoint change.

Changes:

  • Bump root devDependencies including jscpd (v4 → v5), eslint, oxlint/oxfmt, stylelint, and others, and refresh package-lock.json.
  • Update jscpd runner scripts to resolve the CLI entry via jscpd/package.json instead of a hardcoded path.
  • Adjust jscpd output filtering for v5 clone-name formatting and update .oxlintrc.json / .jscpd.json to account for new rules and ignore patterns.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
scripts/lint-staged-jscpd.js Switches to resolved jscpd entrypoint and normalizes v5 clone names for staged-file scoping.
scripts/lib/jscpd-entry.js Adds a shared helper to locate the installed jscpd CLI entry script via the package manifest.
scripts/audit-jscpd.js Updates whole-project jscpd audit to use the resolved entrypoint.
scripts/audit-jscpd-regression.js Updates CI regression runner to use the resolved entrypoint; minor comment tweak.
package.json Bumps devDependencies for linting/formatting/duplication tooling.
package-lock.json Regenerates lockfile for the dependency updates (including jscpd v5 + platform bins).
.oxlintrc.json Disables newly-introduced rules for scripts/**/* to keep intended sync-script patterns allowed.
.jscpd.json Adds an ignore entry for **/Effort/Scripts/** to exclude that subtree from duplication scans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants