chore(deps): bump KooshaPari/phenoShared/.github/workflows/ci.yml from 438e2e71e448c9f1f47f184d3ca4acbb28928677 to 58a298df8b37765e3d04ff975de22d3dd88bfbd9 by dependabot[bot] · Pull Request #81 · KooshaPari/PhenoProject

dependabot · 2026-06-07T09:02:58Z

Bumps KooshaPari/phenoShared/.github/workflows/ci.yml from 438e2e71e448c9f1f47f184d3ca4acbb28928677 to 58a298df8b37765e3d04ff975de22d3dd88bfbd9.

Changelog

Sourced from KooshaPari/phenoShared/.github/workflows/ci.yml's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.3.0] - 2026-03-28

Added

Event sourcing crate with event store abstractions and verification chain support

Policy engine crate structure for domain policy management

User journeys specification and workspace ergonomics requirements

Hexagonal architecture adapter crates for clean architecture support

@phenotype/docs shared VitePress theme integration

Fixed

EventSourcingError coercion in EventStore verify_chain method

Dead code warnings on StoredEvent.event_type field (kept for future projection support)

FFI utils unused imports causing cargo warnings

TDD test failures in domain layer modules

Cargo check, test, and doctest compatibility across shared crates

Changed

Migrated kitty-specs to docs/specs in AgilePlus format

Refined hexagonal architecture specification to language-agnostic format

Enhanced docs-site with VitePress 1.6 scaffold and verification harness

[0.2.0] - 2026-02

Added

Language-agnostic hexagonal architecture specification

Comparison matrix documentation (shared with phenotype-infrakit)

Governance files (CODEOWNERS, CI workflow)

VitePress docsite scaffolding with home page and sidebar configuration

CLAUDE.md project guidelines

Fixed

CI workflows to skip billable runner configurations

Workspace cargo check issues across all crates

[0.1.0] - 2026-01

Added

Initial phenotype-shared crate with foundational shared types

Domain layer with core entities and value objects

Repository pattern abstractions

FFI utilities for interop with C/C++ code

... (truncated)

Commits

58a298d chore(gitignore): adopt shared node template from phenotype-tooling (#167)
403be1d chore(phenoShared): lift ahead branch chore/phenoshared-merge-all-primitives-...
c3aee33 chore(phenoShared): align version drift (#163)
72b9c6c chore(deps): update tracing-opentelemetry requirement from 0.32 to 0.33
See full diff in compare view

dependabot · 2026-06-07T09:02:59Z

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

codeant-ai · 2026-06-07T09:03:03Z

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

kilo-code-bot · 2026-06-07T23:52:19Z

Code Review Summary

Status: No Issues Found | Recommendation: Merge

This PR updates the SHA reference for the reusable CI workflow from 438e2e7 to 72b9c6cb. This is a standard Dependabot workflow dependency update.

Notes:

SonarCloud quality gate passed with 0 new issues
Workflow file syntax is valid YAML
SHA pinning ensures reproducible builds
The comment in the file indicates this will eventually be re-pinned to a tag once PR docs(PhenoProject): add work-state header #85 merges in phenoShared

Files Reviewed (1 file)

.github/workflows/ci.yml - 0 issues (SHA pin update)

_{Reviewed by laguna-m.1-20260312:free · 493,342 tokens}

Bumps [KooshaPari/phenoShared/.github/workflows/ci.yml](https://github.com/kooshapari/phenoshared) from 438e2e71e448c9f1f47f184d3ca4acbb28928677 to 58a298df8b37765e3d04ff975de22d3dd88bfbd9. - [Release notes](https://github.com/kooshapari/phenoshared/releases) - [Changelog](https://github.com/KooshaPari/phenoShared/blob/main/CHANGELOG.md) - [Commits](https://github.com/kooshapari/phenoshared/compare/438e2e71e448c9f1f47f184d3ca4acbb28928677...58a298df8b37765e3d04ff975de22d3dd88bfbd9) --- updated-dependencies: - dependency-name: KooshaPari/phenoShared/.github/workflows/ci.yml dependency-version: 72b9c6cbdb24c49189b0e7c7395d874830d1ed87 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-06-12T09:28:51Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/lodash-es@4.17.23
	npm/tippy.js@6.3.7
	npm/unified@11.0.5
	npm/remark-gfm@4.0.1
	npm/remark-stringify@11.0.0
	npm/react@18.3.1
	npm/winston@3.17.0
	npm/uuid@9.0.1 ⏵ 13.0.0				⁺⁴⁰
	npm/typescript@5.8.3
	npm/react-dom@18.3.1

View full report

socket-security · 2026-06-12T09:28:53Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		High CVE: lodash vulnerable to Code Injection via `_.template` imports key names in npm `lodash-es` CVE: GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names (HIGH) Affected versions: >= 4.0.0 < 4.18.0 Patched version: 4.18.0 From: rust/Planify/apps/admin/package.json → `npm/lodash-es@4.17.23` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lodash-es@4.17.23`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `path-to-regexp` vulnerable to Regular Expression Denial of Service via multiple route parameters CVE: GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters (HIGH) Affected versions: < 0.1.13 Patched version: 0.1.13 From: `?` → `npm/path-to-regexp@0.1.12` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/path-to-regexp@0.1.12`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: rust/Planify/apps/admin/package.json → `npm/typescript@5.8.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.8.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client CVE: GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client (HIGH) Affected versions: >= 6.0.0 < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: `?` → `npm/@effect/platform-node@0.104.0` → `npm/undici@7.18.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/undici@7.18.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation CVE: GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: `?` → `npm/@effect/platform-node@0.104.0` → `npm/undici@7.18.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/undici@7.18.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression CVE: GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: `?` → `npm/@effect/platform-node@0.104.0` → `npm/undici@7.18.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/undici@7.18.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm `rimraf` Reason: Rimraf versions prior to v4 are no longer supported From: `?` → `npm/@storybook/react-webpack5@8.6.14` → `npm/rimraf@3.0.2` ℹ Read more on: This package \| This alert \| What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rimraf@3.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

sonarqubecloud · 2026-06-12T09:29:33Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot · 2026-06-14T09:03:11Z

Superseded by #157.

dependabot Bot added the dependencies Pull requests updating dependencies label Jun 7, 2026

dependabot Bot requested a review from KooshaPari as a code owner June 7, 2026 09:02

dependabot Bot added the dependencies Pull requests updating dependencies label Jun 7, 2026

dependabot Bot force-pushed the dependabot/github_actions/KooshaPari/phenoShared/dot-github/workflows/ci.yml-72b9c6cbdb24c49189b0e7c7395d874830d1ed87 branch from 9850251 to a4318a9 Compare June 12, 2026 09:28

dependabot Bot closed this Jun 14, 2026

dependabot Bot deleted the dependabot/github_actions/KooshaPari/phenoShared/dot-github/workflows/ci.yml-72b9c6cbdb24c49189b0e7c7395d874830d1ed87 branch June 14, 2026 09:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump KooshaPari/phenoShared/.github/workflows/ci.yml from 438e2e71e448c9f1f47f184d3ca4acbb28928677 to 58a298df8b37765e3d04ff975de22d3dd88bfbd9#81

dependabot Bot commented on behalf of github Jun 7, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Jun 7, 2026

Uh oh!

codeant-ai Bot commented Jun 7, 2026

Uh oh!

kilo-code-bot Bot commented Jun 7, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 12, 2026

Uh oh!

socket-security Bot commented Jun 12, 2026

Uh oh!

sonarqubecloud Bot commented Jun 12, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changelog

[Unreleased]

[0.3.0] - 2026-03-28

Added

Fixed

Changed

[0.2.0] - 2026-02

Added

Fixed

[0.1.0] - 2026-01

Added

Uh oh!

dependabot Bot commented on behalf of github Jun 7, 2026

Labels

Uh oh!

codeant-ai Bot commented Jun 7, 2026

Uh oh!

kilo-code-bot Bot commented Jun 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Summary

Uh oh!

socket-security Bot commented Jun 12, 2026

Uh oh!

socket-security Bot commented Jun 12, 2026

Uh oh!

sonarqubecloud Bot commented Jun 12, 2026

Quality Gate passed

Uh oh!

dependabot Bot commented on behalf of github Jun 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 7, 2026 •

edited

Loading

kilo-code-bot Bot commented Jun 7, 2026 •

edited

Loading